From patchwork Thu May 17 04:19:51 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Rowand X-Patchwork-Id: 915062 Return-Path: X-Original-To: incoming-dt@patchwork.ozlabs.org Delivered-To: patchwork-incoming-dt@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=devicetree-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="UKSK0aoT"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40mdPf5WxHz9s1d for ; Thu, 17 May 2018 14:20:06 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752020AbeEQEUF (ORCPT ); Thu, 17 May 2018 00:20:05 -0400 Received: from mail-pg0-f66.google.com ([74.125.83.66]:38850 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751798AbeEQEUE (ORCPT ); Thu, 17 May 2018 00:20:04 -0400 Received: by mail-pg0-f66.google.com with SMTP id n9-v6so1227049pgq.5; Wed, 16 May 2018 21:20:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=ojii/NW9uDkRIsSrmfL4fvDcOqxsUjKW04bWn9cJsc8=; b=UKSK0aoTQqkIp22/3ZGTX4gh1NQ7Ioj8LjC5dKTyv+pKdcUIMTMQRIkN/251EvCDbD hX8N/15NKrvgv0wVpqLpAxwRP0xvqNjOrHvW6ykwUFsfGJSmmj6j4gqthLoJ4Cr5CQFe EWJIkvJPpLEXaOR0hHOpe0JXVlIAlmJ81hUvpZeSZcTF/x7gJW6bXujpJzZtME3K5HWj 2AgdK7afQvzZ0/zCIocXUVj6f0icoks7fVYZVZZYEDQ2/fIJn1IF7mFht9N7X7DWt2W4 stG2LhhX7nJj2EqY0UXbi2d9AGsj2kFk9PWHocwX16Ccsax2l+cPftcTbn400CccU5s5 SUaw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ojii/NW9uDkRIsSrmfL4fvDcOqxsUjKW04bWn9cJsc8=; b=hR+5qJOqakyoiCm9Bniqe8g2xYNeZQNRp0X91xqPUTkoGEeWaumdS26LhXjjwozIm1 yFa/x1CmAp5iDIPcrZgyCNXlxCAcYa6zdaEv8kmeGzKAbcMvpDwH85Rv5UaL36garsIg MZxvIE5+WxZHyXQUYeOwvcVaRGLc434U2meP05OZV2pt7APgtDg08/PPJUugiEynFjio p3J9MyJoXUPcryPX2V42Yv5Kg0RH0mL76t8W3ucolHoGiwjtz6uU4mgReaEDa4Fs7DzI /oJjsgIqwLTO48DDotw8yDnzwc5GxEK/vSirM2hjKOrwtIuxPBuiCkFvOAN4Mmmci9jn VxTg== X-Gm-Message-State: ALKqPwfIMOodDmX9InyHIV0VNzkNMrAZXnSi0rsfYs1x7nZmja8jgy6y NwJOAnzaKM7FuJ/lvjolRSo= X-Google-Smtp-Source: AB8JxZpK13L6d2hWJbGBj7nFxU5Sq6Zpx4oUclK+ULi67SO8/B3RdL888/cUpk0IV8rJMYtGLazLAQ== X-Received: by 2002:a63:3f49:: with SMTP id m70-v6mr1422059pga.340.1526530803848; Wed, 16 May 2018 21:20:03 -0700 (PDT) Received: from localhost.localdomain (c-24-6-192-50.hsd1.ca.comcast.net. [24.6.192.50]) by smtp.gmail.com with ESMTPSA id h75-v6sm6958552pfh.148.2018.05.16.21.20.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 16 May 2018 21:20:03 -0700 (PDT) From: frowand.list@gmail.com To: Rob Herring , pantelis.antoniou@konsulko.com, Pantelis Antoniou Cc: Dan Carpenter , devicetree@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] of: overlay: validate offset from property fixups Date: Wed, 16 May 2018 21:19:51 -0700 Message-Id: <1526530791-18591-1-git-send-email-frowand.list@gmail.com> X-Mailer: git-send-email 1.9.1 Sender: devicetree-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: devicetree@vger.kernel.org From: Frank Rowand The smatch static checker marks the data in offset as untrusted, leading it to warn: drivers/of/resolver.c:125 update_usages_of_a_phandle_reference() error: buffer underflow 'prop->value' 's32min-s32max' Add check to verify that offset is within the property data. Reported-by: Dan Carpenter Signed-off-by: Frank Rowand --- drivers/of/resolver.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/of/resolver.c b/drivers/of/resolver.c index 65d0b7adfcd4..7edfac6f1914 100644 --- a/drivers/of/resolver.c +++ b/drivers/of/resolver.c @@ -122,6 +122,11 @@ static int update_usages_of_a_phandle_reference(struct device_node *overlay, goto err_fail; } + if (offset < 0 || offset + sizeof(__be32) > prop->length) { + err = -EINVAL; + goto err_fail; + } + *(__be32 *)(prop->value + offset) = cpu_to_be32(phandle); }