Google Git
Sign in
android-kvm / linux / 3e4543bf20531d1cdb8672d25b3f2ff6d3d07627
commit3e4543bf20531d1cdb8672d25b3f2ff6d3d07627[log] [tgz]
authorPierre-Yves MORDRET <pierre-yves.mordret@st.com>Tue Mar 13 17:55:35 2018 +0100
committerVinod Koul <vinod.koul@intel.com>Thu Mar 22 10:51:35 2018 +0530
tree0e4ccf921f0c9f47e68e0f242596302e212e35be
parent0c8efd610b58cb23cefdfa12015799079aef94ae [diff]
dmaengine: stm32-dmamux: fix a potential buffer overflow

The bitfield dma_inuse is allocated of size dma_requests bits, thus a
valid bit address is from 0 to (dma_requests - 1).
When find_first_zero_bit() fails, it returns dma_requests as invalid
address.
Using such address for the following set_bit() is incorrect and, if
dma_requests is a multiple of BITS_PER_LONG, it will cause a buffer
overflow.
Currently this driver is only used in DT stm32h743.dtsi where a safe value
dma_requests=16 is not triggering the buffer overflow.

Fixed by checking the return value of find_first_zero_bit() _before_
using it.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
Signed-off-by: Pierre-Yves MORDRET <pierre-yves.mordret@st.com>
Signed-off-by: Vinod Koul <vinod.koul@intel.com>
1 file changed
tree: 0e4ccf921f0c9f47e68e0f242596302e212e35be
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. LICENSES/
  15. mm/
  16. net/
  17. samples/
  18. scripts/
  19. security/
  20. sound/
  21. tools/
  22. usr/
  23. virt/
  24. .cocciconfig
  25. .get_maintainer.ignore
  26. .gitattributes
  27. .gitignore
  28. .mailmap
  29. COPYING
  30. CREDITS
  31. Kbuild
  32. Kconfig
  33. MAINTAINERS
  34. Makefile
  35. README