leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
932d47448c
linux/drivers
History
H. Nikolaus Schaller 932d47448c power: generic-adc-battery: fix out-of-bounds write when copying channel properties 
We did have sporadic problems in the pinctrl framework during boot
where a pin group name unexpectedly became NULL leading to a NULL
dereference in strcmp.

Detailled analysis of the failing cases did reveal that there were
two devm allocated objects close to each other. The second one was
the affected group_desc in pinmux and the first one was the
psy_desc->properties buffer of the gab driver.

Review of the gab code showed that the address calculation for
one memcpy() is wrong. It does

	properties + sizeof(type) * index

but C is defined to do the index multiplication already for
pointer + integer additions. Hence the factor was applied twice
and the memcpy() does write outside of the properties buffer.
Sometimes it happened to be the pinctrl and triggered the strcmp(NULL).

Anyways, it is overkill to use a memcpy() here instead of a simple
assignment, which is easier to read and has less risk for wrong
address calculations. So we change code to a simple assignment.

If we initialize the index to the first free location, we can even
remove the local variable 'properties'.

This bug seems to exist right from the beginning in 3.7-rc1 in

commit e60fea794e ("power: battery: Generic battery driver using IIO")

Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: stable@vger.kernel.org
Fixes: e60fea794e ("power: battery: Generic battery driver using IIO")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
2018-07-06 18:40:34 +02:00
..
accessibility
acpi pwm: Changes for v4.18-rc1 2018-06-14 16:25:43 +09:00
amba Merge branch 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm 2018-06-06 13:49:25 -07:00
android treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
ata treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
atm treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
auxdisplay treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
base Additional power management updates for 4.18-rc1 2018-06-13 07:24:18 -07:00
bcma dma-mapping updates for 4.18: 2018-06-04 10:58:12 -07:00
block The main piece is a set of libceph changes that revamps how OSD 2018-06-15 07:24:58 +09:00
bluetooth
bus - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
cdrom treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
char docs: Fix some broken references 2018-06-15 18:10:01 -03:00
clk docs: Fix some broken references 2018-06-15 18:10:01 -03:00
clocksource treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
connector Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
cpufreq Additional power management updates for 4.18-rc1 2018-06-13 07:24:18 -07:00
cpuidle powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
crypto treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
dax libnvdimm for 4.18 2018-06-08 17:21:52 -07:00
dca
devfreq treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
dio
dma fix a series of Documentation/ broken file name references 2018-06-15 18:10:01 -03:00
dma-buf
edac treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
eisa
extcon treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
firewire treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
firmware Merge branch 'akpm' (patches from Andrew) 2018-06-15 08:51:42 +09:00
fmc treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
fpga
fsi
gpio treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
gpu Solve a series of broken links for files under Documentation: 2018-06-17 05:25:18 +09:00
hid docs: fix broken references with multiple hints 2018-06-15 18:10:01 -03:00
hsi
hv treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
hwmon treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
hwspinlock hwspinlock updates for v4.18 2018-06-11 12:09:19 -07:00
hwtracing treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
i2c Merge branch 'i2c/for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2018-06-14 16:21:46 +09:00
ide treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
idle
iio treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
infiniband treewide: Use array_size() in kvzalloc_node() 2018-06-12 16:19:22 -07:00
input docs: Fix some broken references 2018-06-15 18:10:01 -03:00
iommu - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
ipack treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
irqchip treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
isdn treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
leds treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
lightnvm docs: Fix some broken references 2018-06-15 18:10:01 -03:00
macintosh powerpc updates for 4.18 2018-06-07 10:23:33 -07:00
mailbox treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
mcb
md docs: Fix some broken references 2018-06-15 18:10:01 -03:00
media Solve a series of broken links for files under Documentation: 2018-06-17 05:25:18 +09:00
memory - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
memstick treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
message treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mfd Merge branch 'i2c/for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2018-06-14 16:21:46 +09:00
misc Merge branch 'i2c/for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2018-06-14 16:21:46 +09:00
mmc treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
mtd - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
mux
net Solve a series of broken links for files under Documentation: 2018-06-17 05:25:18 +09:00
nfc treewide: devm_kmalloc() -> devm_kmalloc_array() 2018-06-12 16:19:22 -07:00
ntb - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
nubus Char/Misc driver patches for 4.18-rc1 2018-06-05 16:20:22 -07:00
nvdimm Merge branch 'for-4.18/mcsafe' into libnvdimm-for-next 2018-06-08 15:16:44 -07:00
nvme Merge branch 'nvme-4.18' of git://git.infradead.org/nvme into for-linus 2018-06-15 08:11:05 -06:00
nvmem treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
of - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
opp treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
oprofile treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
parisc dma-mapping updates for 4.18: 2018-06-04 10:58:12 -07:00
parport docs: Fix some broken references 2018-06-15 18:10:01 -03:00
pci - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
pcmcia treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
perf
phy Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2018-06-06 18:39:49 -07:00
pinctrl treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
platform fix a series of Documentation/ broken file name references 2018-06-15 18:10:01 -03:00
pnp media updates for v4.18-rc1 2018-06-07 12:34:37 -07:00
power power: generic-adc-battery: fix out-of-bounds write when copying channel properties 2018-07-06 18:40:34 +02:00
powercap treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
pps
ps3
ptp
pwm pwm: Changes for v4.18-rc1 2018-06-14 16:25:43 +09:00
rapidio treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
ras
regulator treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
remoteproc treewide: use PHYS_ADDR_MAX to avoid type casting ULLONG_MAX 2018-06-15 07:55:25 +09:00
reset - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
rpmsg rpmsg: smd: do not use mananged resources for endpoints and channels 2018-06-04 12:35:03 -07:00
rtc - New Device Support 2018-06-11 07:20:17 -07:00
s390 treewide: Use array_size() in vzalloc() 2018-06-12 16:19:22 -07:00
sbus fix a series of Documentation/ broken file name references 2018-06-15 18:10:01 -03:00
scsi SCSI fixes on 20180613 2018-06-14 16:35:32 +09:00
sfi
sh treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
siox
slimbus treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
sn
soc treewide: use PHYS_ADDR_MAX to avoid type casting ULLONG_MAX 2018-06-15 07:55:25 +09:00
soundwire docs: Fix more broken references 2018-06-15 18:11:26 -03:00
spi treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
spmi
ssb
staging media: v4l: fix broken video4linux docs locations 2018-06-15 18:10:01 -03:00
target treewide: Use array_size() in vzalloc() 2018-06-12 16:19:22 -07:00
tc
tee
thermal - Error path bug fix for overflow tests (Dan) 2018-06-12 18:28:00 -07:00
thunderbolt
tty vfs/y2038: inode timestamps conversion to timespec64 2018-06-15 07:31:07 +09:00
uio treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
usb vfs/y2038: inode timestamps conversion to timespec64 2018-06-15 07:31:07 +09:00
uwb treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
vfio VFIO updates for v4.18 2018-06-12 13:11:26 -07:00
vhost virtio, vhost: features, fixes 2018-06-16 06:35:02 +09:00
video Solve a series of broken links for files under Documentation: 2018-06-17 05:25:18 +09:00
virt treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
virtio virtio, vhost: features, fixes 2018-06-16 06:35:02 +09:00
visorbus
vlynq
vme
w1 Char/Misc driver patches for 4.18-rc1 2018-06-05 16:20:22 -07:00
watchdog MIPS changes for 4.18 2018-06-12 12:56:02 -07:00
xen treewide: kvmalloc() -> kvmalloc_array() 2018-06-12 16:19:22 -07:00
zorro - Introduce arithmetic overflow test helper functions (Rasmus) 2018-06-06 17:27:14 -07:00
Kconfig
Makefile