leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
932d47448c
linux/drivers/power/supply
History
H. Nikolaus Schaller 932d47448c power: generic-adc-battery: fix out-of-bounds write when copying channel properties 
We did have sporadic problems in the pinctrl framework during boot
where a pin group name unexpectedly became NULL leading to a NULL
dereference in strcmp.

Detailled analysis of the failing cases did reveal that there were
two devm allocated objects close to each other. The second one was
the affected group_desc in pinmux and the first one was the
psy_desc->properties buffer of the gab driver.

Review of the gab code showed that the address calculation for
one memcpy() is wrong. It does

	properties + sizeof(type) * index

but C is defined to do the index multiplication already for
pointer + integer additions. Hence the factor was applied twice
and the memcpy() does write outside of the properties buffer.
Sometimes it happened to be the pinctrl and triggered the strcmp(NULL).

Anyways, it is overkill to use a memcpy() here instead of a simple
assignment, which is easier to read and has less risk for wrong
address calculations. So we change code to a simple assignment.

If we initialize the index to the first free location, we can even
remove the local variable 'properties'.

This bug seems to exist right from the beginning in 3.7-rc1 in

commit e60fea794e ("power: battery: Generic battery driver using IIO")

Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
Cc: stable@vger.kernel.org
Fixes: e60fea794e ("power: battery: Generic battery driver using IIO")
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
2018-07-06 18:40:34 +02:00
..
88pm860x_battery.c
88pm860x_charger.c
ab8500_bmdata.c power: supply: ab8500: Drop AB8540/9540 support 2018-04-25 23:49:44 +02:00
ab8500_btemp.c power: supply: ab8500: Drop AB8540/9540 support 2018-04-25 23:49:44 +02:00
ab8500_charger.c power: supply: ab8500_charger: fix spelling mistake: "faile" -> "failed" 2018-05-01 13:31:38 +02:00
ab8500_fg.c power: supply: ab8500: Drop AB8540/9540 support 2018-04-25 23:49:44 +02:00
abx500_chargalg.c power: supply: ab8500: Drop AB8540/9540 support 2018-04-25 23:49:44 +02:00
act8945a_charger.c power: supply: act8945a_charger: fix of_irq_get() error check 2017-07-24 14:09:00 +02:00
apm_power.c
axp20x_ac_power.c power: supply: account for const type of of_device_id.data 2018-01-08 18:40:46 +01:00
axp20x_battery.c power: supply: axp20x_battery: add support for AXP813 2018-03-09 16:52:33 +01:00
axp20x_usb_power.c power: supply: axp20x_usb_power: Drop unnecessary static 2017-05-15 15:28:14 +02:00
axp288_charger.c power: supply: axp288_charger: Fix initial constant_charge_current value 2018-07-06 17:19:37 +02:00
axp288_fuel_gauge.c power: supply: axp288_fuel_gauge: Remove polling from the driver 2018-04-26 00:49:52 +02:00
bq27xxx_battery_hdq.c power: supply: bq27xxx: move platform driver code into bq27xxx_battery_hdq.c 2017-07-25 15:31:21 +02:00
bq27xxx_battery_i2c.c power: supply: bq27xxx: Add support for BQ27426 2018-04-25 23:11:47 +02:00
bq27xxx_battery.c power: supply: bq27xxx: Add support for BQ27426 2018-04-25 23:11:47 +02:00
bq2415x_charger.c power: supply: bq2415x: add DT referencing support 2018-03-12 14:34:51 +01:00
bq24190_charger.c bq24190: Simplify code in property_is_writeable 2018-01-08 18:40:06 +01:00
bq24257_charger.c power: bq24257: Fix use of uninitialized pointer bq->charger 2016-09-19 20:56:22 +02:00
bq24735-charger.c power: supply: bq24735: remove incorrect le16_to_cpu calls 2017-06-15 16:47:35 +02:00
bq25890_charger.c power: supply: bq25890: Use gpiod_get() 2017-04-14 01:41:34 +02:00
charger-manager.c treewide: devm_kzalloc() -> devm_kcalloc() 2018-06-12 16:19:22 -07:00
collie_battery.c
cpcap-battery.c power: supply: cpcap-battery: Fix platform_get_irq_byname's error checking 2017-12-01 16:22:10 +01:00
cpcap-charger.c power: supply: cpcap-charger: fix incorrect return value check 2017-11-13 11:56:12 +01:00
da9030_battery.c
da9052-battery.c
da9150-charger.c
da9150-fg.c power: supply: da9150-fg: remove VLA usage 2018-03-12 14:34:52 +01:00
ds2760_battery.c w1: Add subsystem kernel public interface 2017-06-09 11:54:54 +02:00
ds2780_battery.c power: add to_power_supply macro to the API 2018-02-21 23:27:13 +01:00
ds2781_battery.c power: add to_power_supply macro to the API 2018-02-21 23:27:13 +01:00
ds2782_battery.c
generic-adc-battery.c power: generic-adc-battery: fix out-of-bounds write when copying channel properties 2018-07-06 18:40:34 +02:00
goldfish_battery.c
gpio-charger.c power: supply: simplify getting .drvdata 2018-04-25 23:15:51 +02:00
ipaq_micro_battery.c power: ipaq_micro_battery: fix alias 2016-11-23 23:44:40 +01:00
isp1704_charger.c power: supply: isp1704: Fix unchecked return value of devm_kzalloc 2017-05-01 11:52:25 +02:00
jz4740-battery.c
Kconfig Merge branch 'for-linus' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2017-11-15 10:14:11 -08:00
lego_ev3_battery.c power: supply: New driver for LEGO MINDSTORMS EV3 battery 2017-04-14 01:41:35 +02:00
lp8727_charger.c
lp8788-charger.c power: supply: lp8788: Make several arrays static const * const 2017-08-12 13:58:14 -04:00
ltc2941-battery-gauge.c Merge branch 'fixes' into for-next 2018-03-12 14:35:10 +01:00
ltc3651-charger.c power: supply: ltc3651-charger: fix some error codes in probe 2017-06-08 13:05:27 +02:00
Makefile Merge branch 'i2c/for-4.15' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2017-11-14 17:52:21 -08:00
max1721x_battery.c power: supply: Add support for MAX1721x standalone fuel gauge 2017-07-24 14:09:34 +02:00
max8903_charger.c
max8925_power.c
max8997_charger.c power: supply: max8997: Improve a size determination in probe 2017-11-06 13:49:12 +01:00
max8998_charger.c
max14577_charger.c
max14656_charger_detector.c power: supply: max14656: Export I2C and OF device ID as module aliases 2017-01-29 23:15:17 +01:00
max17040_battery.c power: supply: max17040: Add OF device ID table 2017-04-14 01:41:33 +02:00
max17042_battery.c max17042: propagate of_node to power supply device 2018-03-12 14:29:52 +01:00
max77693_charger.c
olpc_battery.c power: supply: make device_attribute const 2017-08-28 18:48:44 +02:00
pcf50633-charger.c power: supply: pcf50633-charger: remove redundant variable charging_start 2017-11-06 13:49:57 +01:00
pda_power.c power: supply: pda_power: move from timer to delayed_work 2017-05-01 12:41:58 +02:00
pm2301_charger.c
pm2301_charger.h
pmu_battery.c
power_supply_core.c power: remove possible deadlock when unregistering power_supply 2018-07-06 16:03:21 +02:00
power_supply_leds.c
power_supply_sysfs.c Tag/Merge point for adding typeC power supply support 2018-04-26 12:18:30 +02:00
power_supply.h
qcom_smbb.c extcon: Split out extcon header file for consumer and provider device 2017-10-23 14:07:58 +09:00
rt5033_battery.c
rt9455_charger.c
rx51_battery.c power: supply: avoid unused twl4030-madc.h 2017-05-01 13:03:09 +02:00
s3c_adc_battery.c power: supply: s3c-adc-battery: fix driver data initialization 2018-04-26 00:12:11 +02:00
sbs-battery.c power: supply: sbs-battery: remove unchecked return var 2017-10-29 00:45:59 +02:00
sbs-charger.c power: supply: sbs-charger: simplified bool function 2017-04-14 01:41:34 +02:00
sbs-manager.c power: supply: sbs-message: double left shift bug in sbsm_select() 2017-12-01 16:08:00 +01:00
smb347-charger.c
test_power.c
tosa_battery.c
tps65090-charger.c
tps65217_charger.c power: supply: tps65217: remove debug messages for function calls 2017-04-14 01:41:35 +02:00
twl4030_charger.c power: supply: replace pr_* with dev_* 2017-11-06 13:59:41 +01:00
twl4030_madc_battery.c power: supply: avoid unused twl4030-madc.h 2017-05-01 13:03:09 +02:00
wm97xx_battery.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
wm831x_backup.c
wm831x_power.c power: wm831x_power: Support USB charger current limit management 2017-08-15 15:05:01 +03:00
wm8350_power.c wm8350_power: use permission-specific DEVICE_ATTR variants 2016-11-23 23:46:20 +01:00
z2_battery.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00