Buffer overread in pv88090-regulator.ko

From: Anton Vasilyev
Date: Tue Aug 01 2017 - 12:05:51 EST

Next message: Arvind Yadav: "[PATCH 04/10] agp: ali: constify pci_device_id."
Previous message: Arvind Yadav: "[PATCH 03/10] agp: intel: constify pci_device_id."
Next in thread: James Seong-Won Ban: "RE: Buffer overread in pv88090-regulator.ko"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

While searching for memory errors in Linux kernel I've come across
drivers/regulator/pv88090-regulator.ko module.

Buffer overread could occur at pv88090_i2c_probe():

If read from malicious device such values for conf2 and range
(e.g. 0x10000000 and 0x1000 for PV88090_ID_BUCK2) that
conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) &
PV88090_BUCK_VDAC_RANGE_MASK;
and
range = (range >>
(PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) &
PV88080_BUCK_VRANGE_GAIN_MASK;
become 1 then
index = ((range << 1) | conf2);
become 3, but index is used for dereference pv88090_buck_vol[3].

Should be index=3 considered as incorrect value and pv88090_i2c_probe() must return error,
or pv88090_buck_vol[] should be expanded?

Found by Linux Driver Verification project (linuxtesting.org).

--
Anton Vasilyev
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: vasilyev@xxxxxxxxx

Next message: Arvind Yadav: "[PATCH 04/10] agp: ali: constify pci_device_id."
Previous message: Arvind Yadav: "[PATCH 03/10] agp: intel: constify pci_device_id."
Next in thread: James Seong-Won Ban: "RE: Buffer overread in pv88090-regulator.ko"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]