From patchwork Mon May 2 15:05:11 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Srinivas Kandagatla X-Patchwork-Id: 8993101 Return-Path: X-Original-To: patchwork-linux-arm@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork1.web.kernel.org (Postfix) with ESMTP id 1E92B9F1D3 for ; Mon, 2 May 2016 15:07:36 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 4F98F201C7 for ; Mon, 2 May 2016 15:07:35 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.9]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 77CE020165 for ; Mon, 2 May 2016 15:07:34 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.80.1 #2 (Red Hat Linux)) id 1axFQC-0006Bk-Gy; Mon, 02 May 2016 15:06:04 +0000 Received: from mail-wm0-x230.google.com ([2a00:1450:400c:c09::230]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1axFQ9-00068O-Bz for linux-arm-kernel@lists.infradead.org; Mon, 02 May 2016 15:06:02 +0000 Received: by mail-wm0-x230.google.com with SMTP id n129so111151895wmn.1 for ; Mon, 02 May 2016 08:05:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=zYdFD7Lq/D/PI46KYYibbp7MBv0l8dAPxDp8fpCz8hY=; b=ZJXPpuCeQX8qbkPbKGm5PLZRysp4NxYyn0oDtbtUyVIv1x4t7oINYlD2TeCtsTShW0 bRRFMggcSTPxsP+rrsm3ysUeAjxRfpLM+Yw7zdNnCnoW7qITL0zZm/OxZmVNhXeJLB7R KxuObQLNjVZYDRiILTTdqeXKUejFoovJOH2ms= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zYdFD7Lq/D/PI46KYYibbp7MBv0l8dAPxDp8fpCz8hY=; b=kG8l2ZVaEdfzBOPp9vJYjAe0uibajvx/AYIIxARLXAD30iTLsauePLp/90DVnDIqeY 2Kov5Zko6APiOvCBiaA1pnrfmllD3LvsMbocYV0+r+Wqi8yBrRMMbl0x7rJWbJJ/WJJ1 uXvHO4cq+GB5d8HoIYVraug/ZcLi9v24tIxoLpP7dUSGJonGuWh51iar+GXscXiT/pS/ eTj1ATEEh0dK52w4SCoWqdbLssW15Hb59IROocfy45TdlJrrLY2bDJEuArvY4xBSFfor 2qOdA/9L2OjmwUSxPUZD4z58fGCnhsRJn56MTe6fuBqcECPXjeq6UQJ4iEKPK8OUbUOg HIrg== X-Gm-Message-State: AOPr4FVxETWBtR+Y/0HF+yWdIQNpnqPj78JPmxRkZfdgcX8FvgR6rj31QhnGL9kdQfmhvAd9 X-Received: by 10.28.137.14 with SMTP id l14mr18644397wmd.64.1462201539732; Mon, 02 May 2016 08:05:39 -0700 (PDT) Received: from localhost.localdomain (host-92-17-247-99.as13285.net. [92.17.247.99]) by smtp.gmail.com with ESMTPSA id r204sm19350420wmg.20.2016.05.02.08.05.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 02 May 2016 08:05:39 -0700 (PDT) From: Srinivas Kandagatla To: Greg Kroah-Hartman Subject: [PATCH v2] nvmem: mxs-ocotp: fix buffer overflow in read Date: Mon, 2 May 2016 16:05:11 +0100 Message-Id: <1462201511-3942-1-git-send-email-srinivas.kandagatla@linaro.org> X-Mailer: git-send-email 2.5.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20160502_080601_564198_9DC693A4 X-CRM114-Status: GOOD ( 13.89 ) X-Spam-Score: -2.7 (--) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: stefan.wahren@i2se.com, linux-kernel@vger.kernel.org, stable@vger.kernel.org, stano@meduna.org, Srinivas Kandagatla , Maxime Ripard , linux-arm-kernel@lists.infradead.org MIME-Version: 1.0 Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+patchwork-linux-arm=patchwork.kernel.org@lists.infradead.org X-Spam-Status: No, score=-5.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Stanislav Meduna This patch fixes the issue where the mxs_ocotp_read is reading the ocotp in reg_size steps but decrements the remaining size by 1. The number of iterations is thus four times higher, overwriting the area behind the output buffer. Fixes: c01e9a11ab6f ("nvmem: add driver for ocotp in i.MX23 and i.MX28") Tested-by: Stefan Wahren Signed-off-by: Stanislav Meduna Signed-off-by: Srinivas Kandagatla --- drivers/nvmem/mxs-ocotp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/nvmem/mxs-ocotp.c b/drivers/nvmem/mxs-ocotp.c index 8ba19bb..2bb3c57 100644 --- a/drivers/nvmem/mxs-ocotp.c +++ b/drivers/nvmem/mxs-ocotp.c @@ -94,7 +94,7 @@ static int mxs_ocotp_read(void *context, const void *reg, size_t reg_size, if (ret) goto close_banks; - while (val_size) { + while (val_size >= reg_size) { if ((offset < OCOTP_DATA_OFFSET) || (offset % 16)) { /* fill up non-data register */ *buf = 0; @@ -103,7 +103,7 @@ static int mxs_ocotp_read(void *context, const void *reg, size_t reg_size, } buf++; - val_size--; + val_size -= reg_size; offset += reg_size; }