| Message ID | 20231107110520.4449-1-antonio.borneo@foss.st.com |
|---|---|
| State | Accepted |
| Commit | edd48fd9d45370d6c8ba0dd834fcc51ff688cc87 |
| Headers | show |
| Series | pinctrl: stm32: fix array read out of bound | expand |
On Tue, Nov 7, 2023 at 12:06 PM Antonio Borneo <antonio.borneo@foss.st.com> wrote: > The existing code does not verify if the "tentative" index exceeds > the size of the array, causing out of bound read. > Issue identified with kasan. > > Check the index before using it. > > Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com> > Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names") Patch applied for fixes. And now I feel better about that I spent so much time porting Kasan to ARM32. Yours, Linus Walleij
diff --git a/drivers/pinctrl/stm32/pinctrl-stm32.c b/drivers/pinctrl/stm32/pinctrl-stm32.c index a73385a431de..56677bad10f7 100644 --- a/drivers/pinctrl/stm32/pinctrl-stm32.c +++ b/drivers/pinctrl/stm32/pinctrl-stm32.c @@ -1283,9 +1283,11 @@ static struct stm32_desc_pin *stm32_pctrl_get_desc_pin_from_gpio(struct stm32_pi int i; /* With few exceptions (e.g. bank 'Z'), pin number matches with pin index in array */ - pin_desc = pctl->pins + stm32_pin_nb; - if (pin_desc->pin.number == stm32_pin_nb) - return pin_desc; + if (stm32_pin_nb < pctl->npins) { + pin_desc = pctl->pins + stm32_pin_nb; + if (pin_desc->pin.number == stm32_pin_nb) + return pin_desc; + } /* Otherwise, loop all array to find the pin with the right number */ for (i = 0; i < pctl->npins; i++) {
The existing code does not verify if the "tentative" index exceeds the size of the array, causing out of bound read. Issue identified with kasan. Check the index before using it. Signed-off-by: Antonio Borneo <antonio.borneo@foss.st.com> Fixes: 32c170ff15b0 ("pinctrl: stm32: set default gpio line names using pin names") --- drivers/pinctrl/stm32/pinctrl-stm32.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) base-commit: ffc253263a1375a65fa6c9f62a893e9767fbebfa