[PATCH] mfd: mt6370: add bounds checking to regmap_read/write functions
Andy Shevchenko
andy.shevchenko at gmail.com
Tue Aug 23 15:09:32 PDT 2022
On Fri, Aug 19, 2022 at 8:25 AM Dan Carpenter <dan.carpenter at oracle.com> wrote:
>
> It looks like there are a potential out of bounds accesses in the
> read/write() functions. Also can "len" be negative? Let's check for
> that too.
...
> + if (bank_idx >= ARRAY_SIZE(info->i2c))
Okay, the index of the bank comes from arbitrary data and here you
want to prevent it from overflowing.
> + return -EINVAL;
...
> + if (len < 0 || bank_idx >= ARRAY_SIZE(info->i2c))
> + return -EINVAL;
Ditto here. But what I would do differently is a check for len.
Instead split the assignment and do a check beforehand.
unsigned int len;
if (count < MT6370_MAX_ADDRLEN)
return -EINVAL;
len = count - MT6370_MAX_ADDRLEN;
--
With Best Regards,
Andy Shevchenko
More information about the Linux-mediatek
mailing list