Skip to content

Commit 5f4f94e

Browse files
ChiYuan Huanglag-linaro
ChiYuan Huang
authored and
lag-linaro
committed
mfd: mt6360: Add bounds checking in Regmap read/write call-backs
Fix the potential risk of OOB read if bank index is over the maximum. Refer to the discussion list for the experiment result on mt6370. https://lore.kernel.org/all/[email protected]/ If not to check the bound, there is the same issue on mt6360. Cc: [email protected] Fixes: 3b08504 (mfd: mt6360: Merge different sub-devices I2C read/write) Signed-off-by: ChiYuan Huang <[email protected]> Signed-off-by: Lee Jones <[email protected]> Link: https://lore.kernel.org/r/[email protected]
1 parent 4bef4d5 commit 5f4f94e

1 file changed

Lines changed: 12 additions & 2 deletions

File tree

drivers/mfd/mt6360-core.c

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -402,14 +402,19 @@ static int mt6360_regmap_read(void *context, const void *reg, size_t reg_size,
402402
struct mt6360_ddata *ddata = context;
403403
u8 bank = *(u8 *)reg;
404404
u8 reg_addr = *(u8 *)(reg + 1);
405-
struct i2c_client *i2c = ddata->i2c[bank];
405+
struct i2c_client *i2c;
406406
bool crc_needed = false;
407407
u8 *buf;
408408
int buf_len = MT6360_ALLOC_READ_SIZE(val_size);
409409
int read_size = val_size;
410410
u8 crc;
411411
int ret;
412412

413+
if (bank >= MT6360_SLAVE_MAX)
414+
return -EINVAL;
415+
416+
i2c = ddata->i2c[bank];
417+
413418
if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
414419
crc_needed = true;
415420
ret = mt6360_xlate_pmicldo_addr(&reg_addr, val_size);
@@ -453,13 +458,18 @@ static int mt6360_regmap_write(void *context, const void *val, size_t val_size)
453458
struct mt6360_ddata *ddata = context;
454459
u8 bank = *(u8 *)val;
455460
u8 reg_addr = *(u8 *)(val + 1);
456-
struct i2c_client *i2c = ddata->i2c[bank];
461+
struct i2c_client *i2c;
457462
bool crc_needed = false;
458463
u8 *buf;
459464
int buf_len = MT6360_ALLOC_WRITE_SIZE(val_size);
460465
int write_size = val_size - MT6360_REGMAP_REG_BYTE_SIZE;
461466
int ret;
462467

468+
if (bank >= MT6360_SLAVE_MAX)
469+
return -EINVAL;
470+
471+
i2c = ddata->i2c[bank];
472+
463473
if (bank == MT6360_SLAVE_PMIC || bank == MT6360_SLAVE_LDO) {
464474
crc_needed = true;
465475
ret = mt6360_xlate_pmicldo_addr(&reg_addr, val_size - MT6360_REGMAP_REG_BYTE_SIZE);

0 commit comments

Comments
 (0)