| Message ID | 1519117393-31302-1-git-send-email-geert+renesas@glider.be (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Tue, Feb 20, 2018 at 10:03 AM, Geert Uytterhoeven <geert+renesas@glider.be> wrote: > The hs_timing_cfg[] array is indexed using a value derived from the > "mshcN" alias in DT, which may lead to an out-of-bounds access. > > Fix this by adding a range check. > > Fixes: 7d92895208a008a2 ("mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias") Oops Fixes: 361c7fe9b02eee7e ("mmc: dw_mmc-k3: add sd support for hi3660") Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds -- To unsubscribe from this list: send the line "unsubscribe linux-mmc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Geert, On 02/20/2018 07:50 PM, Geert Uytterhoeven wrote: > On Tue, Feb 20, 2018 at 10:03 AM, Geert Uytterhoeven > <geert+renesas@glider.be> wrote: >> The hs_timing_cfg[] array is indexed using a value derived from the >> "mshcN" alias in DT, which may lead to an out-of-bounds access. >> >> Fix this by adding a range check. >> >> Fixes: 7d92895208a008a2 ("mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias") > > Oops > > Fixes: 361c7fe9b02eee7e ("mmc: dw_mmc-k3: add sd support for hi3660") Could you resend the patch with changing commit-msg? Then i will pick yours. Best Regards, Jaehoon Chung > > Gr{oetje,eeting}s, > > Geert > > -- > Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org > > In personal conversations with technical people, I call myself a hacker. But > when I'm talking to journalists I just say "programmer" or something like that. > -- Linus Torvalds > -- > To unsubscribe from this list: send the line "unsubscribe linux-mmc" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > -- To unsubscribe from this list: send the line "unsubscribe linux-mmc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Jaehoon, On Wed, Feb 21, 2018 at 6:39 AM, Jaehoon Chung <jh80.chung@samsung.com> wrote: > On 02/20/2018 07:50 PM, Geert Uytterhoeven wrote: >> On Tue, Feb 20, 2018 at 10:03 AM, Geert Uytterhoeven >> <geert+renesas@glider.be> wrote: >>> The hs_timing_cfg[] array is indexed using a value derived from the >>> "mshcN" alias in DT, which may lead to an out-of-bounds access. >>> >>> Fix this by adding a range check. >>> >>> Fixes: 7d92895208a008a2 ("mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias") >> >> Oops >> >> Fixes: 361c7fe9b02eee7e ("mmc: dw_mmc-k3: add sd support for hi3660") > > Could you resend the patch with changing commit-msg? > Then i will pick yours. Sure. Will send a v2 soon. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds -- To unsubscribe from this list: send the line "unsubscribe linux-mmc" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/drivers/mmc/host/dw_mmc-k3.c b/drivers/mmc/host/dw_mmc-k3.c index 73fd75c3c824904d..75ae5803b0db24dd 100644 --- a/drivers/mmc/host/dw_mmc-k3.c +++ b/drivers/mmc/host/dw_mmc-k3.c @@ -135,6 +135,9 @@ static int dw_mci_hi6220_parse_dt(struct dw_mci *host) if (priv->ctrl_id < 0) priv->ctrl_id = 0; + if (priv->ctrl_id >= TIMING_MODE) + return -EINVAL; + host->priv = priv; return 0; }
The hs_timing_cfg[] array is indexed using a value derived from the "mshcN" alias in DT, which may lead to an out-of-bounds access. Fix this by adding a range check. Fixes: 7d92895208a008a2 ("mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias") Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be> --- Compile-tested only. There is another possible out-of-bounds access in drivers/mmc/host/dw_mmc.c:dw_mci_init_slot(): if (drv_data && drv_data->caps) mmc->caps |= drv_data->caps[ctrl_id]; With ctrl_id derived from "mshcN". Unfortunately the upper bound is not known at run-time, without adding such a field to struct dw_mci_drv_data first. --- drivers/mmc/host/dw_mmc-k3.c | 3 +++ 1 file changed, 3 insertions(+)