On Tue, Feb 20, 2018 at 11:06 AM, Geert Uytterhoeven <geert@xxxxxxxxxxxxxx> wrote: > Hi, > > The Samsung pinctrl driver uses the "pinctrlN" alias from DT without performing > any validation on the returned index, which may lead to out-of-bounds accesses > in the SoC-specific samsung_pin_ctrl[] arrays: > > drivers/pinctrl/samsung/pinctrl-samsung.c:samsung_pinctrl_get_soc_data(): > > id = of_alias_get_id(node, "pinctrl"); > if (id < 0) { > dev_err(&pdev->dev, "failed to get alias id\n"); > return ERR_PTR(-ENOENT); > } > ctrl = of_device_get_match_data(&pdev->dev); > // FIXME out-of-bounds access, limit not known > ctrl += id; Hi Geert, Indeed, lack of validation with wrong DT will cause out-of-bounds accesses. This might be also an issue when using out-of-tree DTBs. I'll take a look at possible fix. Thanks for report, much appreciated! Best regards, Krzysztof -- To unsubscribe from this list: send the line "unsubscribe linux-samsung-soc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html