[thirdparty/kernel/stable-queue.git] / releases / 4.14.53 / of-overlay-validate-offset-from-property-fixups.patch

From 482137bf2aecd887ebfa8756456764a2f6a0e545 Mon Sep 17 00:00:00 2001
From: Frank Rowand <frank.rowand@sony.com>
Date: Wed, 16 May 2018 21:19:51 -0700
Subject: of: overlay: validate offset from property fixups

From: Frank Rowand <frank.rowand@sony.com>

commit 482137bf2aecd887ebfa8756456764a2f6a0e545 upstream.

The smatch static checker marks the data in offset as untrusted,
leading it to warn:

  drivers/of/resolver.c:125 update_usages_of_a_phandle_reference()
  error: buffer underflow 'prop->value' 's32min-s32max'

Add check to verify that offset is within the property data.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Frank Rowand <frank.rowand@sony.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/of/resolver.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/of/resolver.c
+++ b/drivers/of/resolver.c
@@ -129,6 +129,11 @@ static int update_usages_of_a_phandle_re
 			goto err_fail;
 		}
 
+		if (offset < 0 || offset + sizeof(__be32) > prop->length) {
+			err = -EINVAL;
+			goto err_fail;
+		}
+
 		*(__be32 *)(prop->value + offset) = cpu_to_be32(phandle);
 	}
Commit	Line	Data
d1cf1a50 GKH	1	From 482137bf2aecd887ebfa8756456764a2f6a0e545 Mon Sep 17 00:00:00 2001
	2	From: Frank Rowand <frank.rowand@sony.com>
	3	Date: Wed, 16 May 2018 21:19:51 -0700
	4	Subject: of: overlay: validate offset from property fixups
	5
	6	From: Frank Rowand <frank.rowand@sony.com>
	7
	8	commit 482137bf2aecd887ebfa8756456764a2f6a0e545 upstream.
	9
	10	The smatch static checker marks the data in offset as untrusted,
	11	leading it to warn:
	12
	13	drivers/of/resolver.c:125 update_usages_of_a_phandle_reference()
	14	error: buffer underflow 'prop->value' 's32min-s32max'
	15
	16	Add check to verify that offset is within the property data.
	17
	18	Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
	19	Signed-off-by: Frank Rowand <frank.rowand@sony.com>
	20	Cc: <stable@vger.kernel.org>
	21	Signed-off-by: Rob Herring <robh@kernel.org>
	22	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	23
	24	---
	25	drivers/of/resolver.c \| 5 +++++
	26	1 file changed, 5 insertions(+)
	27
	28	--- a/drivers/of/resolver.c
	29	+++ b/drivers/of/resolver.c
	30	@@ -129,6 +129,11 @@ static int update_usages_of_a_phandle_re
	31	goto err_fail;
	32	}
	33
	34	+ if (offset < 0 \|\| offset + sizeof(__be32) > prop->length) {
	35	+ err = -EINVAL;
	36	+ goto err_fail;
	37	+ }
	38	+
	39	(__be32 )(prop->value + offset) = cpu_to_be32(phandle);
	40	}
	41