On Tue, Feb 20, 2018 at 11:06 AM, Geert Uytterhoeven
<geert@xxxxxxxxxxxxxx> wrote:
> Hi,
>
> The Samsung pinctrl driver uses the "pinctrlN" alias from DT without performing
> any validation on the returned index, which may lead to out-of-bounds accesses
> in the SoC-specific samsung_pin_ctrl[] arrays:
>
> drivers/pinctrl/samsung/pinctrl-samsung.c:samsung_pinctrl_get_soc_data():
>
> id = of_alias_get_id(node, "pinctrl");
> if (id < 0) {
> dev_err(&pdev->dev, "failed to get alias id\n");
> return ERR_PTR(-ENOENT);
> }
> ctrl = of_device_get_match_data(&pdev->dev);
> // FIXME out-of-bounds access, limit not known
> ctrl += id;
Hi Geert,
Indeed, lack of validation with wrong DT will cause out-of-bounds
accesses. This might be also an issue when using out-of-tree DTBs.
I'll take a look at possible fix.
Thanks for report, much appreciated!
Best regards,
Krzysztof
--
To unsubscribe from this list: send the line "unsubscribe devicetree" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
