Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp4436084pxb; Tue, 5 Oct 2021 03:06:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyBAVY4GpR8cETyc9Svq6FROOWY5YjzSCH0ZDM8UsDs3mFT3v1Xf4ARQd3aIvQFqJFYce/Q X-Received: by 2002:a17:90a:bf82:: with SMTP id d2mr2747938pjs.201.1633428398850; Tue, 05 Oct 2021 03:06:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1633428398; cv=none; d=google.com; s=arc-20160816; b=fIZHtKvvVmhby4oct5Jw/akUpyZ4hb9im3s5J4UI6ipGKKbhW7gIciqfm/GIupFyGS 5/CvuDLXVFrU951KorWLhsXScsDAmUyiYcD9wXrPoxbTmGplu5fnvwrpmBCGbqAbI9+2 SK88kMQ2XmauU6CmB4sDXy+yfAWpK4aF++rD+fdDyzW4uUb3dullYDqZlOXrcT0MJjqw OFuVMJ7IOuvMf5GW4Y7rgi4PQ8PDNB9oEXUlKT0TXnaV5nHKjA+yhO/f+wi5Fqcmrhvy uOyTxwA7/nwUGNsTSgMxFA6I0ZHWbt1J0JrYakWGq9g3WQjFgoG2RWbA6cLU8BdxfHI2 WMfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:mail-followup-to:message-id:subject:cc:to:from:date; bh=DSJF7G5Jbuzo1PonkZsyDAtCcBwoW7BKZ3Vk/ZbQbho=; b=IG3vExe+YrGQpE6oL5ktn26MxAlqmjVaxPQ27bTkl5S95qHfU9PhwhyYPG1aYJzYPD eXYYB3nekF4QJlrdgcj/vtFRJXajSUEifjr9+bKsuRBgWHbLE5ygIVNbmzhW8lSDsHkb EfHEc7tW8/26CzL+QJxZBjPU3zw2dNS3FibulOi+f1xvE//Ykq0qVDS7tPO4UAY3i/5n eJqoCkbbxx/RrYt9YYucMyuKztKnk5lMoBDl7Xq5Cl4R/LQ0c4Q3GaCAJmyKHPS0AN/R yOajPN0wgucDzMl6W5JdAoE4ErBJHcL1KK3WyXFXBz42gI3KlANykxZlLePenjwwK7vJ V1KA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id nn14si2016748pjb.104.2021.10.05.03.06.19; Tue, 05 Oct 2021 03:06:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233779AbhJEKFx (ORCPT + 99 others); Tue, 5 Oct 2021 06:05:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233819AbhJEKFr (ORCPT ); Tue, 5 Oct 2021 06:05:47 -0400 Received: from relay07.th.seeweb.it (relay07.th.seeweb.it [IPv6:2001:4b7a:2000:18::168]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 46E5EC06174E for ; Tue, 5 Oct 2021 03:03:56 -0700 (PDT) Received: from SoMainline.org (94-209-165-62.cable.dynamic.v4.ziggo.nl [94.209.165.62]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by m-r2.th.seeweb.it (Postfix) with ESMTPSA id 02B013F585; Tue, 5 Oct 2021 12:03:51 +0200 (CEST) Date: Tue, 5 Oct 2021 12:03:50 +0200 From: Marijn Suijten To: Daniel Thompson Cc: phone-devel@vger.kernel.org, Andy Gross , Bjorn Andersson , Lee Jones , Jingoo Han , ~postmarketos/upstreaming@lists.sr.ht, AngeloGioacchino Del Regno , Konrad Dybcio , Martin Botka , Jami Kettunen , Pavel Dubrova , Kiran Gunda , Courtney Cavin , Bryan Wu , linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH 04/10] backlight: qcom-wled: Validate enabled string indices in DT Message-ID: <20211005100350.p56xuq74qsc7vhyp@SoMainline.org> Mail-Followup-To: Daniel Thompson , phone-devel@vger.kernel.org, Andy Gross , Bjorn Andersson , Lee Jones , Jingoo Han , ~postmarketos/upstreaming@lists.sr.ht, AngeloGioacchino Del Regno , Konrad Dybcio , Martin Botka , Jami Kettunen , Pavel Dubrova , Kiran Gunda , Courtney Cavin , Bryan Wu , linux-arm-msm@vger.kernel.org, dri-devel@lists.freedesktop.org, linux-fbdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20211004192741.621870-1-marijn.suijten@somainline.org> <20211004192741.621870-5-marijn.suijten@somainline.org> <20211005091452.4ecqhlhrdxdgvs3c@maple.lan> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20211005091452.4ecqhlhrdxdgvs3c@maple.lan> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2021-10-05 10:14:52, Daniel Thompson wrote: > On Mon, Oct 04, 2021 at 09:27:35PM +0200, Marijn Suijten wrote: > > The strings passed in DT may possibly cause out-of-bounds register > > accesses and should be validated before use. > > > > Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3") > > The first half of this patch actually fixes patch 1 from this patch set. > It would be better to move that code there. It only helps guarding against a maximum of 3 leds for WLED3, while using string_len instead of an unintentional sizeof(u32) (resulting in a fixed size of 4) is a different issue requiring a separate patch to fix. Would it help to reorder this patch before 1/10, and mention in patch 1/10 (then 2/10) that, besides properly using string_len instead of hardcoded 4 (which causes wrong reads from DT on top of this), it relies on the previous patch to prevent against an array longer than 3 for WLED3? - Marijn > Daniel. > > > > Signed-off-by: Marijn Suijten > > Reviewed-by: AngeloGioacchino Del Regno > > --- > > drivers/video/backlight/qcom-wled.c | 14 ++++++++++++++ > > 1 file changed, 14 insertions(+) > > > > diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c > > index 29910e603c42..27e8949c7922 100644 > > --- a/drivers/video/backlight/qcom-wled.c > > +++ b/drivers/video/backlight/qcom-wled.c > > @@ -1526,6 +1526,12 @@ static int wled_configure(struct wled *wled) > > "qcom,enabled-strings", > > sizeof(u32)); > > if (string_len > 0) { > > + if (string_len > wled->max_string_count) { > > + dev_err(dev, "Cannot have more than %d strings\n", > > + wled->max_string_count); > > + return -EINVAL; > > + } > > + > > rc = of_property_read_u32_array(dev->of_node, > > "qcom,enabled-strings", > > wled->cfg.enabled_strings, > > @@ -1537,6 +1543,14 @@ static int wled_configure(struct wled *wled) > > return -EINVAL; > > } > > > > + for (i = 0; i < string_len; ++i) { > > + if (wled->cfg.enabled_strings[i] >= wled->max_string_count) { > > + dev_err(dev, "qcom,enabled-strings index %d at %d is out of bounds\n", > > + wled->cfg.enabled_strings[i], i); > > + return -EINVAL; > > + } > > + } > > + > > cfg->num_strings = string_len; > > } > > > > -- > > 2.33.0 > >