Patch "regulator: rt5759: fix OOB in validate_desc()" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 27 Nov 2022 14:08:35 -0500

This is a note to let you know that I've just added the patch titled

    regulator: rt5759: fix OOB in validate_desc()

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     regulator-rt5759-fix-oob-in-validate_desc.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ff85ee52d9b11cb51f5ad95614fe73fe5a00de1d
Author: Yang Yingliang <yangyingliang@xxxxxxxxxx>
Date:   Wed Nov 16 17:29:43 2022 +0800

    regulator: rt5759: fix OOB in validate_desc()
    
    [ Upstream commit 7920e0fbced429ab18ad4402e3914146a6a0921b ]
    
    I got the following OOB report:
    
     BUG: KASAN: slab-out-of-bounds in validate_desc+0xba/0x109
     Read of size 8 at addr ffff888107db8ff0 by task python3/253
     Call Trace:
      <TASK>
      dump_stack_lvl+0x67/0x83
      print_report+0x178/0x4b0
      kasan_report+0x90/0x190
      validate_desc+0xba/0x109
      gpiod_set_value_cansleep+0x40/0x5a
      regulator_ena_gpio_ctrl+0x93/0xfc
      _regulator_do_enable.cold.61+0x89/0x163
      set_machine_constraints+0x140a/0x159c
      regulator_register.cold.73+0x762/0x10cd
      devm_regulator_register+0x57/0xb0
      rt5759_probe+0x3a0/0x4ac [rt5759_regulator]
    
    The desc used in validate_desc() is passed from 'reg_cfg.ena_gpiod',
    which is not initialized. Fix this by initializing 'reg_cfg' to 0.
    
    Fixes: 7b36ddb208bd ("regulator: rt5759: Add support for Richtek RT5759 DCDC converter")
    Signed-off-by: Yang Yingliang <yangyingliang@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20221116092943.1668326-1-yangyingliang@xxxxxxxxxx
    Signed-off-by: Mark Brown <broonie@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/regulator/rt5759-regulator.c b/drivers/regulator/rt5759-regulator.c
index 6b96899eb27e..8488417f4b2c 100644
--- a/drivers/regulator/rt5759-regulator.c
+++ b/drivers/regulator/rt5759-regulator.c
@@ -243,6 +243,7 @@ static int rt5759_regulator_register(struct rt5759_priv *priv)
 	if (priv->chip_type == CHIP_TYPE_RT5759A)
 		reg_desc->uV_step = RT5759A_STEP_UV;
 
+	memset(&reg_cfg, 0, sizeof(reg_cfg));
 	reg_cfg.dev = priv->dev;
 	reg_cfg.of_node = np;
 	reg_cfg.init_data = of_get_regulator_init_data(priv->dev, np, reg_desc);






