Message ID | 20220929222706.27184-1-xypron.glpk@gmx.de |
---|---|
State | Accepted |
Delegated to: | Tom Rini |
Headers | show |
Series | [1/1] regmap: fix range checks | expand |
On Thu, 29 Sept 2022 at 16:27, Heinrich Schuchardt <xypron.glpk@gmx.de> wrote: > > On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort. > This is due to incorrect range checks. > > On 32-bit systems the size of size_t and int is both 32 bit. The expression > (offset + val_len) is bound to overflow if offset == -1. Add an overflow > check. > > Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> > --- > drivers/core/regmap.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Reviewed-by: Simon Glass <sjg@chromium.org>
On Thu, Sep 29, 2022 at 10:27:06PM +0000, Heinrich Schuchardt wrote: > On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort. > This is due to incorrect range checks. > > On 32-bit systems the size of size_t and int is both 32 bit. The expression > (offset + val_len) is bound to overflow if offset == -1. Add an overflow > check. > > Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> > Reviewed-by: Simon Glass <sjg@chromium.org> Applied to u-boot/master, thanks!
diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c index 5f98f85cfc..5ccbf9abb8 100644 --- a/drivers/core/regmap.c +++ b/drivers/core/regmap.c @@ -399,7 +399,7 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset, range = &map->ranges[range_num]; offset <<= map->reg_offset_shift; - if (offset + val_len > range->size) { + if (offset + val_len > range->size || offset + val_len < offset) { debug("%s: offset/size combination invalid\n", __func__); return -ERANGE; } @@ -538,7 +538,7 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset, range = &map->ranges[range_num]; offset <<= map->reg_offset_shift; - if (offset + val_len > range->size) { + if (offset + val_len > range->size || offset + val_len < offset) { debug("%s: offset/size combination invalid\n", __func__); return -ERANGE; }
On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort. This is due to incorrect range checks. On 32-bit systems the size of size_t and int is both 32 bit. The expression (offset + val_len) is bound to overflow if offset == -1. Add an overflow check. Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> --- drivers/core/regmap.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.34.1