LM
/
u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

regmap: fix range checks 

On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
This is due to incorrect range checks.

On 32-bit systems the size of size_t and int is both 32 bit. The expression
(offset + val_len) is bound to overflow if offset == -1. Add an overflow
check.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Heinrich Schuchardt 2022-09-29 22:27:06 +00:00
parent 2afa989fbe
commit 947d4f132b
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
drivers/core/regmap.c
View File

@ -399,7 +399,7 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
range = &map->ranges[range_num]; range = &map->ranges[range_num];
offset <<= map->reg_offset_shift; offset <<= map->reg_offset_shift;
if (offset + val_len > range->size) { if (offset + val_len > range->size || offset + val_len < offset) {
debug("%s: offset/size combination invalid\n", __func__); debug("%s: offset/size combination invalid\n", __func__);
return -ERANGE; return -ERANGE;
} }
@ -538,7 +538,7 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
range = &map->ranges[range_num]; range = &map->ranges[range_num];
offset <<= map->reg_offset_shift; offset <<= map->reg_offset_shift;
if (offset + val_len > range->size) { if (offset + val_len > range->size || offset + val_len < offset) {
debug("%s: offset/size combination invalid\n", __func__); debug("%s: offset/size combination invalid\n", __func__);
return -ERANGE; return -ERANGE;
} }