diff options
author | Frank Rowand <frank.rowand@sony.com> | 2018-05-17 06:19:51 +0200 |
---|---|---|
committer | Rob Herring <robh@kernel.org> | 2018-05-23 22:07:43 +0200 |
commit | 482137bf2aecd887ebfa8756456764a2f6a0e545 (patch) | |
tree | 93348102e5fd1d4ab474eb4fb66f1631ea17c82f | |
parent | of: unittest: for strings, account for trailing \0 in property length field (diff) | |
download | linux-482137bf2aecd887ebfa8756456764a2f6a0e545.tar.xz linux-482137bf2aecd887ebfa8756456764a2f6a0e545.zip |
of: overlay: validate offset from property fixups
The smatch static checker marks the data in offset as untrusted,
leading it to warn:
drivers/of/resolver.c:125 update_usages_of_a_phandle_reference()
error: buffer underflow 'prop->value' 's32min-s32max'
Add check to verify that offset is within the property data.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Frank Rowand <frank.rowand@sony.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Rob Herring <robh@kernel.org>
-rw-r--r-- | drivers/of/resolver.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/of/resolver.c b/drivers/of/resolver.c index 65d0b7adfcd4..7edfac6f1914 100644 --- a/drivers/of/resolver.c +++ b/drivers/of/resolver.c @@ -122,6 +122,11 @@ static int update_usages_of_a_phandle_reference(struct device_node *overlay, goto err_fail; } + if (offset < 0 || offset + sizeof(__be32) > prop->length) { + err = -EINVAL; + goto err_fail; + } + *(__be32 *)(prop->value + offset) = cpu_to_be32(phandle); } |