From patchwork Tue May 26 12:05:57 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pratyush Yadav
X-Patchwork-Id: 1297939
X-Patchwork-Delegate: sjg@chromium.org
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
(client-ip=85.214.62.61; helo=phobos.denx.de;
envelope-from=u-boot-bounces@lists.denx.de; receiver=)
Authentication-Results: ozlabs.org;
dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: ozlabs.org;
dkim=pass (1024-bit key;
unprotected) header.d=ti.com header.i=@ti.com header.a=rsa-sha256
header.s=ti-com-17Q1 header.b=e6f8kZ8U;
dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de [85.214.62.61])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits))
(No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 49WXk20bmsz9sRY
for ; Tue, 26 May 2020 22:06:17 +1000 (AEST)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
by phobos.denx.de (Postfix) with ESMTP id 6703D819D4;
Tue, 26 May 2020 14:06:10 +0200 (CEST)
Authentication-Results: phobos.denx.de;
dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de;
spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
dkim=pass (1024-bit key;
unprotected) header.d=ti.com header.i=@ti.com header.b="e6f8kZ8U";
dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
id 9142881CBE; Tue, 26 May 2020 14:06:08 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level:
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,SPF_HELO_NONE,URIBL_BLOCKED
autolearn=ham autolearn_force=no version=3.4.2
Received: from fllv0015.ext.ti.com (fllv0015.ext.ti.com [198.47.19.141])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by phobos.denx.de (Postfix) with ESMTPS id 77D4681923
for ; Tue, 26 May 2020 14:06:03 +0200 (CEST)
Authentication-Results: phobos.denx.de;
dmarc=pass (p=quarantine dis=none) header.from=ti.com
Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=p.yadav@ti.com
Received: from lelv0265.itg.ti.com ([10.180.67.224])
by fllv0015.ext.ti.com (8.15.2/8.15.2) with ESMTP id 04QC61Em104936;
Tue, 26 May 2020 07:06:01 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ti.com;
s=ti-com-17Q1; t=1590494761;
bh=wTCrOn36y/mhTTOJzvogdEwC9oBXbX+B8Q1K1+O4Kk0=;
h=From:To:CC:Subject:Date;
b=e6f8kZ8U2pKrIlnl4H+omnZ3QvF4IXK81+3C+2v4rx4J/HHxzqs5O7I/BZ+WOOOQE
Y4zx1esG1Md09yDIuu1d7MHtmsdUnWYVkYfReeQGyeXwnSdtJv0UTjRsQ+QyIhbsSj
7AIWBMD5TwpbJkksF6IWMvUA90dFUv5xhK88kVjo=
Received: from DFLE109.ent.ti.com (dfle109.ent.ti.com [10.64.6.30])
by lelv0265.itg.ti.com (8.15.2/8.15.2) with ESMTPS id 04QC61MH104570
(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=FAIL);
Tue, 26 May 2020 07:06:01 -0500
Received: from DFLE115.ent.ti.com (10.64.6.36) by DFLE109.ent.ti.com
(10.64.6.30) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Tue, 26
May 2020 07:06:00 -0500
Received: from lelv0326.itg.ti.com (10.180.67.84) by DFLE115.ent.ti.com
(10.64.6.36) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3 via
Frontend Transport; Tue, 26 May 2020 07:06:00 -0500
Received: from pratyush-OptiPlex-790.dhcp.ti.com (ileax41-snat.itg.ti.com
[10.172.224.153])
by lelv0326.itg.ti.com (8.15.2/8.15.2) with ESMTP id 04QC5wRO049479;
Tue, 26 May 2020 07:05:59 -0500
From: Pratyush Yadav
To: Simon Glass
CC: Pratyush Yadav , , Vignesh
Raghavendra , Sekhar Nori
Subject: [PATCH] regmap: Check for out-of-range offsets before mapping them
Date: Tue, 26 May 2020 17:35:57 +0530
Message-ID: <20200526120557.26240-1-p.yadav@ti.com>
X-Mailer: git-send-email 2.25.0
MIME-Version: 1.0
X-EXCLAIMER-MD-CONFIG: e1e8a2fd-e40a-4ac6-ac9b-f7e9cc9ee180
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.30rc1
Precedence: list
List-Id: U-Boot discussion
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot"
X-Virus-Scanned: clamav-milter 0.102.2 at phobos.denx.de
X-Virus-Status: Clean
In regmap_raw_{read,write}_range(), offsets are checked to make sure
they aren't out of range. But this check happens _after_ the address is
mapped from physical memory. Input should be sanity-checked before using
it. Mapping the address before validating it leaves the door open to
passing an invalid address to map_physmem(). So check for out of range
offsets _before_ mapping them.
This fixes a segmentation fault in sandbox when -1 is used as an offset
to regmap_{read,write}().
Signed-off-by: Pratyush Yadav
Reviewed-by: Simon Glass
---
drivers/core/regmap.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index 4a214eff7c..a67a237b88 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -310,13 +310,13 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
}
range = &map->ranges[range_num];
- ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
-
if (offset + val_len > range->size) {
debug("%s: offset/size combination invalid\n", __func__);
return -ERANGE;
}
+ ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
+
switch (val_len) {
case REGMAP_SIZE_8:
*((u8 *)valp) = __read_8(ptr, map->endianness);
@@ -419,13 +419,13 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
}
range = &map->ranges[range_num];
- ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
-
if (offset + val_len > range->size) {
debug("%s: offset/size combination invalid\n", __func__);
return -ERANGE;
}
+ ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE);
+
switch (val_len) {
case REGMAP_SIZE_8:
__write_8(ptr, val, map->endianness);