From patchwork Mon Nov 26 16:35:07 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luca Ceresoli X-Patchwork-Id: 10698609 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 25FEB13BF for ; Mon, 26 Nov 2018 16:35:28 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 14C842992C for ; Mon, 26 Nov 2018 16:35:28 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 08E7129B62; Mon, 26 Nov 2018 16:35:28 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 36DE42992C for ; Mon, 26 Nov 2018 16:35:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726380AbeK0D36 (ORCPT ); Mon, 26 Nov 2018 22:29:58 -0500 Received: from srv-hp10-72.netsons.net ([94.141.22.72]:53700 "EHLO srv-hp10-72.netsons.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726167AbeK0D36 (ORCPT ); Mon, 26 Nov 2018 22:29:58 -0500 Received: from [109.168.11.45] (port=43870 helo=pc-ceresoli.dev.aim) by srv-hp10.netsons.net with esmtpa (Exim 4.91) (envelope-from ) id 1gRJqu-00BwAq-Uw; Mon, 26 Nov 2018 17:35:17 +0100 From: Luca Ceresoli To: linux-media@vger.kernel.org Cc: Luca Ceresoli , Sakari Ailus , Leon Luo , Mauro Carvalho Chehab , linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH] media: imx274: fix stack corruption in imx274_read_reg Date: Mon, 26 Nov 2018 17:35:07 +0100 Message-Id: <20181126163507.31598-1-luca@lucaceresoli.net> X-Mailer: git-send-email 2.17.1 X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - srv-hp10.netsons.net X-AntiAbuse: Original Domain - vger.kernel.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - lucaceresoli.net X-Get-Message-Sender-Via: srv-hp10.netsons.net: authenticated_id: luca+lucaceresoli.net/only user confirmed/virtual account not confirmed X-Authenticated-Sender: srv-hp10.netsons.net: luca@lucaceresoli.net X-Source: X-Source-Args: X-Source-Dir: Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP imx274_read_reg() takes a u8 pointer ("reg") and casts it to pass it to regmap_read(), which takes an unsigned int pointer. This results in a corrupted stack and random crashes. Fixes: 0985dd306f72 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor") Cc: stable@vger.kernel.org # 4.15.x Signed-off-by: Luca Ceresoli --- Notes! I have no evidence of this bug showing up in the mainline driver. It appeared on a modified version where imx274_read_reg() is used, unmodified, in a different way than it does in mainline (passing a pointer to a single u8 instead of a pointer to an element of a u8 array). Also the bug is only present in versions v4.15 (where the driver was added) to v4.19. The offending function is unused since commit ca017467c78b ("media: imx274: add helper to read multibyte registers"), merged in v4.20-rc1, thus master is not affected. I'm sending this bugfix patch anyway for easier integration in the stable branches. Later I plan to send a patch against master to entirely remove the function. Or somebody might want to use this function again, so better having a fixed version out anyway. I'm not 100% sure this qualifies this commit for stable trees. --- drivers/media/i2c/imx274.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/i2c/imx274.c b/drivers/media/i2c/imx274.c index e1b0395a657f..40c717f13eb8 100644 --- a/drivers/media/i2c/imx274.c +++ b/drivers/media/i2c/imx274.c @@ -619,16 +619,19 @@ static int imx274_write_table(struct stimx274 *priv, const struct reg_8 table[]) static inline int imx274_read_reg(struct stimx274 *priv, u16 addr, u8 *val) { + unsigned int uint_val; int err; - err = regmap_read(priv->regmap, addr, (unsigned int *)val); + err = regmap_read(priv->regmap, addr, &uint_val); if (err) dev_err(&priv->client->dev, "%s : i2c read failed, addr = %x\n", __func__, addr); else dev_dbg(&priv->client->dev, "%s : addr 0x%x, val=0x%x\n", __func__, - addr, *val); + addr, uint_val); + + *val = uint_val; return err; }