summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrank Rowand <frank.rowand@sony.com>2018-05-17 06:19:51 +0200
committerRob Herring <robh@kernel.org>2018-05-23 22:07:43 +0200
commit482137bf2aecd887ebfa8756456764a2f6a0e545 (patch)
tree93348102e5fd1d4ab474eb4fb66f1631ea17c82f
parentof: unittest: for strings, account for trailing \0 in property length field (diff)
downloadlinux-482137bf2aecd887ebfa8756456764a2f6a0e545.tar.xz
linux-482137bf2aecd887ebfa8756456764a2f6a0e545.zip
of: overlay: validate offset from property fixups
The smatch static checker marks the data in offset as untrusted, leading it to warn: drivers/of/resolver.c:125 update_usages_of_a_phandle_reference() error: buffer underflow 'prop->value' 's32min-s32max' Add check to verify that offset is within the property data. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Frank Rowand <frank.rowand@sony.com> Cc: <stable@vger.kernel.org> Signed-off-by: Rob Herring <robh@kernel.org>
-rw-r--r--drivers/of/resolver.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/of/resolver.c b/drivers/of/resolver.c
index 65d0b7adfcd4..7edfac6f1914 100644
--- a/drivers/of/resolver.c
+++ b/drivers/of/resolver.c
@@ -122,6 +122,11 @@ static int update_usages_of_a_phandle_reference(struct device_node *overlay,
goto err_fail;
}
+ if (offset < 0 || offset + sizeof(__be32) > prop->length) {
+ err = -EINVAL;
+ goto err_fail;
+ }
+
*(__be32 *)(prop->value + offset) = cpu_to_be32(phandle);
}