From: Antonio Borneo <antonio.borneo@xxxxxxxxxxx>
commit edd48fd9d45370d6c8ba0dd834fcc51ff688cc87 upstream.
The existing code does not verify if the "tentative" index exceeds
the size of the array, causing out of bound read.
Issue identified with kasan.
Check the index before using it.
Signed-off-by: Antonio Borneo <antonio.borneo@xxxxxxxxxxx>
Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names")
Link: https://lore.kernel.org/r/20231107110520.4449-1-antonio.borneo@xxxxxxxxxxx
Signed-off-by: Linus Walleij <linus.walleij@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/pinctrl/stm32/pinctrl-stm32.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/pinctrl/stm32/pinctrl-stm32.c
+++ b/drivers/pinctrl/stm32/pinctrl-stm32.c
@@ -1282,9 +1282,11 @@ static struct stm32_desc_pin *stm32_pctr
int i;
/* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */
- pin_desc = pctl->pins + stm32_pin_nb;
- if (pin_desc->pin.number == stm32_pin_nb)
- return pin_desc;
+ if (stm32_pin_nb < pctl->npins) {
+ pin_desc = pctl->pins + stm32_pin_nb;
+ if (pin_desc->pin.number == stm32_pin_nb)
+ return pin_desc;
+ }
/* Otherwise, loop all array to find the pin with the right number */
for (i = 0; i < pctl->npins; i++) {
Patches currently in stable-queue which might be from antonio.borneo@xxxxxxxxxxx are
queue-6.1/pinctrl-stm32-fix-array-read-out-of-bound.patch
queue-6.1/pinctrl-stm32-add-check-for-clk_enable.patch
