[PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

[PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

[Axel Lin]

The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
So for rn5t618, there is out of bounds array access when checking
regulators[i].name in the for loop.

The number of regulators is different for rn5t567 and rn5t618, so we had
better remove RN5T618_REG_NUM and get the correct num_regulators during
probe instead.

Fixes: ed6d362d8dbc ("regulator: rn5t618: Add RN5T567 PMIC support")
Signed-off-by: Axel Lin <axel.lin@ingics.com>
---
RESEND: Correct subject line (remove double Fix)

 drivers/regulator/rn5t618-regulator.c | 8 ++++----
 include/linux/mfd/rn5t618.h           | 1 -
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/drivers/regulator/rn5t618-regulator.c b/drivers/regulator/rn5t618-regulator.c
index 8d2819e..0c09143 100644
--- a/drivers/regulator/rn5t618-regulator.c
+++ b/drivers/regulator/rn5t618-regulator.c
@@ -85,14 +85,17 @@ static int rn5t618_regulator_probe(struct platform_device *pdev)
 	struct regulator_config config = { };
 	struct regulator_dev *rdev;
 	struct regulator_desc *regulators;
+	int num_regulators;
 	int i;
 
 	switch (rn5t618->variant) {
 	case RN5T567:
 		regulators = rn5t567_regulators;
+		num_regulators = ARRAY_SIZE(rn5t567_regulators);
 		break;
 	case RN5T618:
 		regulators = rn5t618_regulators;
+		num_regulators = ARRAY_SIZE(rn5t618_regulators);
 		break;
 	default:
 		return -EINVAL;
@@ -101,10 +104,7 @@ static int rn5t618_regulator_probe(struct platform_device *pdev)
 	config.dev = pdev->dev.parent;
 	config.regmap = rn5t618->regmap;
 
-	for (i = 0; i < RN5T618_REG_NUM; i++) {
-		if (!regulators[i].name)
-			continue;
-
+	for (i = 0; i < num_regulators; i++) {
 		rdev = devm_regulator_register(&pdev->dev,
 					       &regulators[i],
 					       &config);
diff --git a/include/linux/mfd/rn5t618.h b/include/linux/mfd/rn5t618.h
index e5a6cde..d7b3155 100644
--- a/include/linux/mfd/rn5t618.h
+++ b/include/linux/mfd/rn5t618.h
@@ -233,7 +233,6 @@ enum {
 	RN5T618_LDO5,
 	RN5T618_LDORTC1,
 	RN5T618_LDORTC2,
-	RN5T618_REG_NUM,
 };
 
 enum {
-- 
2.9.3

Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

[Stefan Agner]

On 2017-04-15 07:52, Axel Lin wrote:
> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
> So for rn5t618, there is out of bounds array access when checking
> regulators[i].name in the for loop.

I use designated initializers ([RN5T618_##rid] = {..), which guarantee
that the non initialized elements are zero. The highest element LDORTC2
is defined, hence the length of the array should be RN5T618_REG_NUM.

See also
https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html

--
Stefan


> 
> The number of regulators is different for rn5t567 and rn5t618, so we had
> better remove RN5T618_REG_NUM and get the correct num_regulators during
> probe instead.
> 
> Fixes: ed6d362d8dbc ("regulator: rn5t618: Add RN5T567 PMIC support")
> Signed-off-by: Axel Lin <axel.lin@ingics.com>
> ---
> RESEND: Correct subject line (remove double Fix)
> 
>  drivers/regulator/rn5t618-regulator.c | 8 ++++----
>  include/linux/mfd/rn5t618.h           | 1 -
>  2 files changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/regulator/rn5t618-regulator.c
> b/drivers/regulator/rn5t618-regulator.c
> index 8d2819e..0c09143 100644
> --- a/drivers/regulator/rn5t618-regulator.c
> +++ b/drivers/regulator/rn5t618-regulator.c
> @@ -85,14 +85,17 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
>  	struct regulator_config config = { };
>  	struct regulator_dev *rdev;
>  	struct regulator_desc *regulators;
> +	int num_regulators;
>  	int i;
>  
>  	switch (rn5t618->variant) {
>  	case RN5T567:
>  		regulators = rn5t567_regulators;
> +		num_regulators = ARRAY_SIZE(rn5t567_regulators);
>  		break;
>  	case RN5T618:
>  		regulators = rn5t618_regulators;
> +		num_regulators = ARRAY_SIZE(rn5t618_regulators);
>  		break;
>  	default:
>  		return -EINVAL;
> @@ -101,10 +104,7 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
>  	config.dev = pdev->dev.parent;
>  	config.regmap = rn5t618->regmap;
>  
> -	for (i = 0; i < RN5T618_REG_NUM; i++) {
> -		if (!regulators[i].name)
> -			continue;
> -
> +	for (i = 0; i < num_regulators; i++) {
>  		rdev = devm_regulator_register(&pdev->dev,
>  					       &regulators[i],
>  					       &config);
> diff --git a/include/linux/mfd/rn5t618.h b/include/linux/mfd/rn5t618.h
> index e5a6cde..d7b3155 100644
> --- a/include/linux/mfd/rn5t618.h
> +++ b/include/linux/mfd/rn5t618.h
> @@ -233,7 +233,6 @@ enum {
>  	RN5T618_LDO5,
>  	RN5T618_LDORTC1,
>  	RN5T618_LDORTC2,
> -	RN5T618_REG_NUM,
>  };
>  
>  enum {

Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

[Axel Lin]

2017-04-16 0:53 GMT+08:00 Stefan Agner <stefan@agner.ch>:
> On 2017-04-15 07:52, Axel Lin wrote:
>> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
>> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
>> So for rn5t618, there is out of bounds array access when checking
>> regulators[i].name in the for loop.
>
> I use designated initializers ([RN5T618_##rid] = {..), which guarantee
> that the non initialized elements are zero. The highest element LDORTC2
> is defined, hence the length of the array should be RN5T618_REG_NUM.

ok, I missed that. Then current code is fine.
Though the meaing of RN5T618_REG_NUM seems misleading to me as different
variant has differnt number of regulators.

Thanks for the review,
Axel

Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

[Axel Lin]

2017-04-16 9:12 GMT+08:00 Axel Lin <axel.lin@ingics.com>:
> 2017-04-16 0:53 GMT+08:00 Stefan Agner <stefan@agner.ch>:
>> On 2017-04-15 07:52, Axel Lin wrote:
>>> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
>>> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
>>> So for rn5t618, there is out of bounds array access when checking
>>> regulators[i].name in the for loop.
>>
>> I use designated initializers ([RN5T618_##rid] = {..), which guarantee
>> that the non initialized elements are zero. The highest element LDORTC2
>> is defined, hence the length of the array should be RN5T618_REG_NUM.
>
> ok, I missed that. Then current code is fine.
I just realize my patch is wrong due to the use of designated initializers.

Regards,
Axel

Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

[Stefan Agner]

On 2017-04-15 18:12, Axel Lin wrote:
> 2017-04-16 0:53 GMT+08:00 Stefan Agner <stefan@agner.ch>:
>> On 2017-04-15 07:52, Axel Lin wrote:
>>> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
>>> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
>>> So for rn5t618, there is out of bounds array access when checking
>>> regulators[i].name in the for loop.
>>
>> I use designated initializers ([RN5T618_##rid] = {..), which guarantee
>> that the non initialized elements are zero. The highest element LDORTC2
>> is defined, hence the length of the array should be RN5T618_REG_NUM.
> 
> ok, I missed that. Then current code is fine.
> Though the meaing of RN5T618_REG_NUM seems misleading to me as different
> variant has differnt number of regulators.

Yeah I admit the code is somewhat unobvious as it is now. But it allowed
me to add RN5T567 support without changing the existing array and the
preprocessor macro.

--
Stefan