Received: by 2002:a17:90b:8d0:0:0:0:0 with SMTP id ds16csp4879428pjb; Mon, 27 Jul 2020 07:27:33 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx6T5QL9htELGQ83NQ0DVsDZLz1FvJ686Pc/V3EGZTLzJ89uy52x16uiql9sBWYXPOpCfjC X-Received: by 2002:aa7:d688:: with SMTP id d8mr4481274edr.168.1595860053318; Mon, 27 Jul 2020 07:27:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595860053; cv=none; d=google.com; s=arc-20160816; b=urbZoniRdPQa1f5F9058+0HL/4xPe7BYJvwD/sU2xBTXbpw7GipTiGH13QVLFbdlqW IwZUvC8dJNkqgDD/mNZwGkw8ZBJjZi0jxOP6A2KoC6DszFPMcPNzOk0d/Jkm4CGZEjZG hOIKjCi2y7Mp3VL5DXQCETxE+ufO98pAIgFkerpv7PFrDNzJ2cYI9mL80qKfb5IYog29 AQyGV2MFYbpZV69RKafUDRVhju28FFzMR/byCxe8abH2jGpv6dhTeNJt4x4gdF9tKbzh LXrmfGHjgA5TBSSL+7/NCQutIIQ66/PzHAtWPV+DuFNt5bM7LNlk2EPDErK3pTprlHB4 T9wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=nJ3daeuWvdBQVj260jSUQmi0fM1pwLlnVaLFYGRZ/Qg=; b=zzq9rHT2Xmf3CRhy8qRXkaI588J6iTT1+AbOyKQqdJFH0lyWAhEIjPHTQmysnxCvXw PLCvqwv1oyOqtm12LBkLSSXjPGAhpCff0b152PJKvrFx0Sd1jYldsSxo+P94fyY3tJcT A08So27VloJBd9sPRCcGbyqrqJh3a839b2s2XfIyjPJaJ2BPYfGUMjHRCute+vZKLLNR GaEGafmun4OT5Svh9bxzKXus7/VA5t/dyzheXzTpgUmGjDKxjYsikJboUOsB1QV/nX8K fEBQThH1P/9Ixfb80qrGbgaJEKG3xGcj2ChQRyfGHW5owpaLaVQGOVNPXgofNrKGJ3Za xhHg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TyrnaELT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r3si5319161ejr.664.2020.07.27.07.27.10; Mon, 27 Jul 2020 07:27:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=TyrnaELT; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732519AbgG0OZu (ORCPT + 99 others); Mon, 27 Jul 2020 10:25:50 -0400 Received: from mail.kernel.org ([198.145.29.99]:55882 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732495AbgG0OZr (ORCPT ); Mon, 27 Jul 2020 10:25:47 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4861921775; Mon, 27 Jul 2020 14:25:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1595859946; bh=W6z7dnpeGGRWpWZZKzTCo6fCMQg2u8gAj9/OmC7aNfg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=TyrnaELTqI+lXmWgC8dDLl5Qv1Wx0+eMwnDuH8B0FvejniHLuzBrnREJtG7VfTEPs gfb5GNfrSKnDekDD7aVgu0BwR1PJ7LUQy2Y0vdePwjGY/AsiAan3vyFnBcC4Zv4EST 939VGZdkId2Bdu9Axt3FnZWyhbZRu6Hl96iMfHuM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ian Abbott Subject: [PATCH 5.7 149/179] staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift Date: Mon, 27 Jul 2020 16:05:24 +0200 Message-Id: <20200727134939.928825242@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200727134932.659499757@linuxfoundation.org> References: <20200727134932.659499757@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Ian Abbott commit fc846e9db67c7e808d77bf9e2ef3d49e3820ce5d upstream. The `INSN_CONFIG` comedi instruction with sub-instruction code `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is used as a right shift amount for other bitmask values without being checked. Shift amounts greater than or equal to 32 will result in undefined behavior. Add code to deal with this, adjusting the checks for invalid channels so that enabled channel bits that would have been lost by shifting are also checked for validity. Only channels 0 to 15 are valid. Fixes: a8c66b684efaf ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions") Cc: #4.0+: ef75e14a6c93: staging: comedi: verify array index is correct before using it Cc: #4.0+ Signed-off-by: Ian Abbott Link: https://lore.kernel.org/r/20200717145257.112660-5-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman --- drivers/staging/comedi/drivers/addi_apci_1500.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) --- a/drivers/staging/comedi/drivers/addi_apci_1500.c +++ b/drivers/staging/comedi/drivers/addi_apci_1500.c @@ -452,13 +452,14 @@ static int apci1500_di_cfg_trig(struct c struct apci1500_private *devpriv = dev->private; unsigned int trig = data[1]; unsigned int shift = data[3]; - unsigned int hi_mask = data[4] << shift; - unsigned int lo_mask = data[5] << shift; - unsigned int chan_mask = hi_mask | lo_mask; - unsigned int old_mask = (1 << shift) - 1; + unsigned int hi_mask; + unsigned int lo_mask; + unsigned int chan_mask; + unsigned int old_mask; unsigned int pm; unsigned int pt; unsigned int pp; + unsigned int invalid_chan; if (trig > 1) { dev_dbg(dev->class_dev, @@ -466,7 +467,20 @@ static int apci1500_di_cfg_trig(struct c return -EINVAL; } - if (chan_mask > 0xffff) { + if (shift <= 16) { + hi_mask = data[4] << shift; + lo_mask = data[5] << shift; + old_mask = (1U << shift) - 1; + invalid_chan = (data[4] | data[5]) >> (16 - shift); + } else { + hi_mask = 0; + lo_mask = 0; + old_mask = 0xffff; + invalid_chan = data[4] | data[5]; + } + chan_mask = hi_mask | lo_mask; + + if (invalid_chan) { dev_dbg(dev->class_dev, "invalid digital trigger channel\n"); return -EINVAL; }