* [PATCH 1/1] regmap: fix range checks
@ 2022-09-29 22:27 Heinrich Schuchardt
2022-09-30 13:28 ` Simon Glass
2022-10-12 19:14 ` Tom Rini
0 siblings, 2 replies; 3+ messages in thread
From: Heinrich Schuchardt @ 2022-09-29 22:27 UTC (permalink / raw)
To: Simon Glass; +Cc: u-boot, Heinrich Schuchardt
On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
This is due to incorrect range checks.
On 32-bit systems the size of size_t and int is both 32 bit. The expression
(offset + val_len) is bound to overflow if offset == -1. Add an overflow
check.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
---
drivers/core/regmap.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index 5f98f85cfc..5ccbf9abb8 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -399,7 +399,7 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
range = &map->ranges[range_num];
offset <<= map->reg_offset_shift;
- if (offset + val_len > range->size) {
+ if (offset + val_len > range->size || offset + val_len < offset) {
debug("%s: offset/size combination invalid\n", __func__);
return -ERANGE;
}
@@ -538,7 +538,7 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
range = &map->ranges[range_num];
offset <<= map->reg_offset_shift;
- if (offset + val_len > range->size) {
+ if (offset + val_len > range->size || offset + val_len < offset) {
debug("%s: offset/size combination invalid\n", __func__);
return -ERANGE;
}
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] regmap: fix range checks
2022-09-29 22:27 [PATCH 1/1] regmap: fix range checks Heinrich Schuchardt
@ 2022-09-30 13:28 ` Simon Glass
2022-10-12 19:14 ` Tom Rini
1 sibling, 0 replies; 3+ messages in thread
From: Simon Glass @ 2022-09-30 13:28 UTC (permalink / raw)
To: Heinrich Schuchardt; +Cc: U-Boot Mailing List
On Thu, 29 Sept 2022 at 16:27, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote:
>
> On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
> This is due to incorrect range checks.
>
> On 32-bit systems the size of size_t and int is both 32 bit. The expression
> (offset + val_len) is bound to overflow if offset == -1. Add an overflow
> check.
>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> ---
> drivers/core/regmap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
Reviewed-by: Simon Glass <sjg@chromium.org>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] regmap: fix range checks
2022-09-29 22:27 [PATCH 1/1] regmap: fix range checks Heinrich Schuchardt
2022-09-30 13:28 ` Simon Glass
@ 2022-10-12 19:14 ` Tom Rini
1 sibling, 0 replies; 3+ messages in thread
From: Tom Rini @ 2022-10-12 19:14 UTC (permalink / raw)
To: Heinrich Schuchardt; +Cc: Simon Glass, u-boot
[-- Attachment #1: Type: text/plain, Size: 519 bytes --]
On Thu, Sep 29, 2022 at 10:27:06PM +0000, Heinrich Schuchardt wrote:
> On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
> This is due to incorrect range checks.
>
> On 32-bit systems the size of size_t and int is both 32 bit. The expression
> (offset + val_len) is bound to overflow if offset == -1. Add an overflow
> check.
>
> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> Reviewed-by: Simon Glass <sjg@chromium.org>
Applied to u-boot/master, thanks!
--
Tom
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-10-12 19:14 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-29 22:27 [PATCH 1/1] regmap: fix range checks Heinrich Schuchardt
2022-09-30 13:28 ` Simon Glass
2022-10-12 19:14 ` Tom Rini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.