[1/1] regmap: fix range checks

Message ID	20220929222706.27184-1-xypron.glpk@gmx.de
State	Accepted
Delegated to:	Tom Rini
Headers	show Return-Path: <u-boot-bounces@lists.denx.de> From: Heinrich Schuchardt <xypron.glpk@gmx.de> To: Simon Glass <sjg@chromium.org> Cc: u-boot@lists.denx.de, Heinrich Schuchardt <xypron.glpk@gmx.de> Subject: [PATCH 1/1] regmap: fix range checks Date: Thu, 29 Sep 2022 22:27:06 +0000 Message-Id: <20220929222706.27184-1-xypron.glpk@gmx.de> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Precedence: list Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
Series	[1/1] regmap: fix range checks \| expand [1/1] regmap: fix range checks

Message ID

20220929222706.27184-1-xypron.glpk@gmx.de

State

Accepted

Delegated to:

Tom Rini

Headers

From: Heinrich Schuchardt <xypron.glpk@gmx.de>
To: Simon Glass <sjg@chromium.org>
Cc: u-boot@lists.denx.de,
	Heinrich Schuchardt <xypron.glpk@gmx.de>
Subject: [PATCH 1/1] regmap: fix range checks
Date: Thu, 29 Sep 2022 22:27:06 +0000
Message-Id: <20220929222706.27184-1-xypron.glpk@gmx.de>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: list
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

Series

[1/1] regmap: fix range checks | expand

Commit Message

Heinrich Schuchardt Sept. 29, 2022, 10:27 p.m. UTC

On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
This is due to incorrect range checks.

On 32-bit systems the size of size_t and int is both 32 bit. The expression
(offset + val_len) is bound to overflow if offset == -1. Add an overflow
check.

Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
 drivers/core/regmap.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--
2.34.1

Comments

Simon Glass Sept. 30, 2022, 1:28 p.m. UTC | #1

On Thu, 29 Sept 2022 at 16:27, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
> On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
> This is due to incorrect range checks.
>
> On 32-bit systems the size of size_t and int is both 32 bit. The expression
> (offset + val_len) is bound to overflow if offset == -1. Add an overflow
> check.
>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> ---
>  drivers/core/regmap.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Reviewed-by: Simon Glass <sjg@chromium.org>

Tom Rini Oct. 12, 2022, 7:14 p.m. UTC | #2

On Thu, Sep 29, 2022 at 10:27:06PM +0000, Heinrich Schuchardt wrote:

> On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
> This is due to incorrect range checks.
> 
> On 32-bit systems the size of size_t and int is both 32 bit. The expression
> (offset + val_len) is bound to overflow if offset == -1. Add an overflow
> check.
> 
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot/master, thanks!

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index 5f98f85cfc..5ccbf9abb8 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -399,7 +399,7 @@  int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
 	range = &map->ranges[range_num];

 	offset <<= map->reg_offset_shift;
-	if (offset + val_len > range->size) {
+	if (offset + val_len > range->size || offset + val_len < offset) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}
@@ -538,7 +538,7 @@  int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
 	range = &map->ranges[range_num];

 	offset <<= map->reg_offset_shift;
-	if (offset + val_len > range->size) {
+	if (offset + val_len > range->size || offset + val_len < offset) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}

[1/1] regmap: fix range checks

Commit Message

Comments

Patch