]>
Commit | Line | Data |
---|---|---|
d1cf1a50 GKH |
1 | From 482137bf2aecd887ebfa8756456764a2f6a0e545 Mon Sep 17 00:00:00 2001 |
2 | From: Frank Rowand <frank.rowand@sony.com> | |
3 | Date: Wed, 16 May 2018 21:19:51 -0700 | |
4 | Subject: of: overlay: validate offset from property fixups | |
5 | ||
6 | From: Frank Rowand <frank.rowand@sony.com> | |
7 | ||
8 | commit 482137bf2aecd887ebfa8756456764a2f6a0e545 upstream. | |
9 | ||
10 | The smatch static checker marks the data in offset as untrusted, | |
11 | leading it to warn: | |
12 | ||
13 | drivers/of/resolver.c:125 update_usages_of_a_phandle_reference() | |
14 | error: buffer underflow 'prop->value' 's32min-s32max' | |
15 | ||
16 | Add check to verify that offset is within the property data. | |
17 | ||
18 | Reported-by: Dan Carpenter <dan.carpenter@oracle.com> | |
19 | Signed-off-by: Frank Rowand <frank.rowand@sony.com> | |
20 | Cc: <stable@vger.kernel.org> | |
21 | Signed-off-by: Rob Herring <robh@kernel.org> | |
22 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
23 | ||
24 | --- | |
25 | drivers/of/resolver.c | 5 +++++ | |
26 | 1 file changed, 5 insertions(+) | |
27 | ||
28 | --- a/drivers/of/resolver.c | |
29 | +++ b/drivers/of/resolver.c | |
30 | @@ -129,6 +129,11 @@ static int update_usages_of_a_phandle_re | |
31 | goto err_fail; | |
32 | } | |
33 | ||
34 | + if (offset < 0 || offset + sizeof(__be32) > prop->length) { | |
35 | + err = -EINVAL; | |
36 | + goto err_fail; | |
37 | + } | |
38 | + | |
39 | *(__be32 *)(prop->value + offset) = cpu_to_be32(phandle); | |
40 | } | |
41 |