Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp2040042ybh; Fri, 17 Jul 2020 07:56:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxbo9rSzmmw+/P2/bzg52W0gK2YkNGqn5lkwZ6yGidvFioMEFQ9tweeX9pvoatAuR3dByS2 X-Received: by 2002:a50:cd53:: with SMTP id d19mr9813286edj.300.1594997760185; Fri, 17 Jul 2020 07:56:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594997760; cv=none; d=google.com; s=arc-20160816; b=DM5KNzhjUGtF1j6u5Relz/UiQTNMcrsE0vmtr751r7Q9pHtpV96leS8YxGSTlyBJps duL58u6WORnuUj2age3yuKLup7DQ7NuwrUzKwFTotM6DYfnn4hSAA+Bdv8nS3yb6OpiV nkYuCpBAPt7g7cgDvtWHXKGhn922fEgCE+autGOrbUF//LWt/Zx4ToQiQln/Fr/9g3G9 eqJFtdaMs2GR3ONnVhiHolu0WkkrJ5e60epfCIb9vMFMVEi3eV6QtjbTvUaSFnrzGIlC V15uhi1IuQmmXMHiRlCp5KJSPi60lAb1Rsa3kLP32su76P4fc/TTJbxPP6O1ifY9kbA8 vmeA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=IYYm7z2jZiu7BhIdgu24UvaPxwqAfOWVfqlbuYdwaK0=; b=iDu/LZUYQiCAxm8FvEsjsI+sISkNMx1saOvVqpcSeImZu/pny5yj1IvX1nrgp3L6cE 037jI1LVFoGXCUwaq2uLCVX4MOj66IjTfOMSHZV+fGOpOMNdnO+FO/yZ5FvXDEWmbptE DJGIe14M1FSrkJYgcW146QU5xvOrELEo/k2erYY9EnZeQ6fhp2zlxcj+fT4ESDF6C5q6 oieR7P1SVrd2PrUeZHUP3GzT1O732rJw6Ag8KpMdAyJOLEb/+HOjLTP//KRlkh1Y2+iG gQqKlolt7ZZWdNqd0+IwQiy/XML0Y7y+CEQzM7OM8YmnMmPbbsl3HK5snyliA/j0sDG3 tghw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mev.co.uk header.s=20190130-41we5z8j header.b=fbixwv3O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id x5si5704727edl.596.2020.07.17.07.55.37; Fri, 17 Jul 2020 07:56:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mev.co.uk header.s=20190130-41we5z8j header.b=fbixwv3O; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726851AbgGQOxX (ORCPT + 99 others); Fri, 17 Jul 2020 10:53:23 -0400 Received: from smtp97.iad3b.emailsrvr.com ([146.20.161.97]:42092 "EHLO smtp97.iad3b.emailsrvr.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726229AbgGQOxV (ORCPT ); Fri, 17 Jul 2020 10:53:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mev.co.uk; s=20190130-41we5z8j; t=1594997600; bh=Jb7u+DJ7y/hyn3SXGc4DxHLWLrr+Fe/OtaaINkhHAcA=; h=From:To:Subject:Date:From; b=fbixwv3ObUVmqTlZqe7UqPSjK72wjXNGPXlQXn/+CZ0EffnTdtykiZsYwgjcrBmxs bjce7X6ezRRxpOtUm9eGTUhocKxB36hgvK140XwLnIl8PdpVHy3a6CRtL7VZ0jHd/X B40nlD1/sTeLmsr9QoOWUrgnz6tExFN4UmVf9fXI= X-Auth-ID: abbotti@mev.co.uk Received: by smtp5.relay.iad3b.emailsrvr.com (Authenticated sender: abbotti-AT-mev.co.uk) with ESMTPSA id 540F340167; Fri, 17 Jul 2020 10:53:19 -0400 (EDT) From: Ian Abbott To: devel@driverdev.osuosl.org Cc: Greg Kroah-Hartman , Ian Abbott , H Hartley Sweeten , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH 2/4] staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift Date: Fri, 17 Jul 2020 15:52:55 +0100 Message-Id: <20200717145257.112660-3-abbotti@mev.co.uk> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200717145257.112660-1-abbotti@mev.co.uk> References: <20200717145257.112660-1-abbotti@mev.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Classification-ID: 3cd28aa4-5d40-4a0c-a681-8cbccbead0a1-3-1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The `INSN_CONFIG` comedi instruction with sub-instruction code `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is used as a right shift amount for other bitmask values without being checked. Shift amounts greater than or equal to 32 will result in undefined behavior. Add code to deal with this. Fixes: 33cdce6293dcc ("staging: comedi: addi_apci_1032: conform to new INSN_CONFIG_DIGITAL_TRIG" Cc: #3.8+ Signed-off-by: Ian Abbott --- .../staging/comedi/drivers/addi_apci_1032.c | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/drivers/staging/comedi/drivers/addi_apci_1032.c b/drivers/staging/comedi/drivers/addi_apci_1032.c index 560649be9d13..e035c9f757a1 100644 --- a/drivers/staging/comedi/drivers/addi_apci_1032.c +++ b/drivers/staging/comedi/drivers/addi_apci_1032.c @@ -106,14 +106,22 @@ static int apci1032_cos_insn_config(struct comedi_device *dev, unsigned int *data) { struct apci1032_private *devpriv = dev->private; - unsigned int shift, oldmask; + unsigned int shift, oldmask, himask, lomask; switch (data[0]) { case INSN_CONFIG_DIGITAL_TRIG: if (data[1] != 0) return -EINVAL; shift = data[3]; - oldmask = (1U << shift) - 1; + if (shift < 32) { + oldmask = (1U << shift) - 1; + himask = data[4] << shift; + lomask = data[5] << shift; + } else { + oldmask = 0xffffffffu; + himask = 0; + lomask = 0; + } switch (data[2]) { case COMEDI_DIGITAL_TRIG_DISABLE: devpriv->ctrl = 0; @@ -136,8 +144,8 @@ static int apci1032_cos_insn_config(struct comedi_device *dev, devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; case COMEDI_DIGITAL_TRIG_ENABLE_LEVELS: if (devpriv->ctrl != (APCI1032_CTRL_INT_ENA | @@ -154,8 +162,8 @@ static int apci1032_cos_insn_config(struct comedi_device *dev, devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; default: return -EINVAL; -- 2.27.0