dmaengine: stm32-dmamux: fix a potential buffer overflow - linux

diff options

author	Pierre-Yves MORDRET <pierre-yves.mordret@st.com>	2018-03-13 17:55:35 +0100
committer	Vinod Koul <vinod.koul@intel.com>	2018-03-22 06:21:35 +0100
commit	3e4543bf20531d1cdb8672d25b3f2ff6d3d07627 (patch)
tree	0e4ccf921f0c9f47e68e0f242596302e212e35be /drivers/mfd/mc13xxx.h
parent	Linux 4.16-rc5 (diff)
download	linux-3e4543bf20531d1cdb8672d25b3f2ff6d3d07627.tar.xz linux-3e4543bf20531d1cdb8672d25b3f2ff6d3d07627.zip

dmaengine: stm32-dmamux: fix a potential buffer overflow

The bitfield dma_inuse is allocated of size dma_requests bits, thus a valid bit address is from 0 to (dma_requests - 1). When find_first_zero_bit() fails, it returns dma_requests as invalid address. Using such address for the following set_bit() is incorrect and, if dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer overflow. Currently this driver is only used in DT stm32h743.dtsi where a safe value dma_requests=16 is not triggering the buffer overflow. Fixed by checking the return value of find_first_zero_bit() _before_ using it. Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com> Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com> Signed-off-by: Vinod Koul <vinod.koul@intel.com>

Diffstat (limited to 'drivers/mfd/mc13xxx.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: