From patchwork Tue Feb 20 09:40:16 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Geert Uytterhoeven X-Patchwork-Id: 875462 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="XYz3Z0EI"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3zlx3C2fBfz9ryy for ; Tue, 20 Feb 2018 21:01:27 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-Id:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=QAorwRHgRhpn9EtgYJDhzhuY1qfXIB4IcBTUD8uGcI4=; b=XYz3Z0EISI3tSS8H3S4p0FdDXs DuZKSEO/JYTqHvLsFVFTwn5LeISg5udAHB+MPQXPXJn/5EezGkByTKPlSv12e3/g7JNOvObUl1SxT wGv754Lm7dDsIabsFN+m82n//7Y2vjSsPfzFLNvXDhg2fbKixqeRL65eBGyyYmKnAu/PfM7uIIr4v 63ktzQ0Sm9EMvN7RjSjnvqUN/nOApCefPKQrd6nsYGaHaj2LEJQ6uGI53bONMwAvptPm7O2j8WKPy H+kOfCdW6uw9jkm9MvZL6fhvmG/dMmwgW1xVxUSWsixBHQ5711+3t1US0c8ELR5RmqRD/eBkDfbqV kvcCLznQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1eo4ji-0001DA-Jh; Tue, 20 Feb 2018 10:01:22 +0000 Received: from albert.telenet-ops.be ([2a02:1800:110:4::f00:1a]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1eo4g6-0006QZ-Gd for linux-snps-arc@lists.infradead.org; Tue, 20 Feb 2018 09:57:47 +0000 Received: from ayla.of.borg ([84.194.111.163]) by albert.telenet-ops.be with bizsmtp id CxxL1x00u3XaVaC06xxLa6; Tue, 20 Feb 2018 10:57:25 +0100 Received: from ramsan.of.borg ([192.168.97.29] helo=ramsan) by ayla.of.borg with esmtp (Exim 4.86_2) (envelope-from ) id 1eo4fo-0002mu-Q5; Tue, 20 Feb 2018 10:57:20 +0100 Received: from geert by ramsan with local (Exim 4.86_2) (envelope-from ) id 1eo4PU-0000LO-7W; Tue, 20 Feb 2018 10:40:28 +0100 From: Geert Uytterhoeven To: Greg Kroah-Hartman Subject: [PATCH 1/9] serial: arc_uart: Fix out-of-bounds access through DT alias Date: Tue, 20 Feb 2018 10:40:16 +0100 Message-Id: <1519119624-1268-2-git-send-email-geert+renesas@glider.be> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1519119624-1268-1-git-send-email-geert+renesas@glider.be> References: <1519119624-1268-1-git-send-email-geert+renesas@glider.be> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180220_015738_849865_5DA37541 X-CRM114-Status: UNSURE ( 7.87 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -2.4 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.4 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2a02:1800:110:4:0:0:f00:1a listed in] [list.dnswl.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] X-BeenThere: linux-snps-arc@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: Linux on Synopsys ARC Processors List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: devicetree@vger.kernel.org, Barry Song , Geert Uytterhoeven , Vineet Gupta , Michal Simek , linux-kernel@vger.kernel.org, linux-renesas-soc@vger.kernel.org, linux-serial@vger.kernel.org, Jiri Slaby , linux-snps-arc@lists.infradead.org, linux-arm-kernel@lists.infradead.org MIME-Version: 1.0 Sender: "linux-snps-arc" Errors-To: linux-snps-arc-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org The arc_uart_ports[] array is indexed using a value derived from the "serialN" alias in DT, which may lead to an out-of-bounds access. Fix this by adding a range check. Note that the array size is defined by a Kconfig symbol (CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a legitimate DTB. Fixes: 10640deb04b7949a ("serial: arc_uart: Fix out-of-bounds access through DT alias") Signed-off-by: Geert Uytterhoeven --- drivers/tty/serial/arc_uart.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c index 2599f9ecccfe7769..1cb827a6b836d0dd 100644 --- a/drivers/tty/serial/arc_uart.c +++ b/drivers/tty/serial/arc_uart.c @@ -593,6 +593,11 @@ static int arc_serial_probe(struct platform_device *pdev) if (dev_id < 0) dev_id = 0; + if (dev_id >= CONFIG_SERIAL_ARC_NR_PORTS) { + dev_err(&pdev->dev, "serial%d out of range\n", dev_id); + return -EINVAL; + } + uart = &arc_uart_ports[dev_id]; port = &uart->port;