Re: [PATCH RESEND] regulator: rn5t618: Fix out of bounds array access

From: Stefan Agner
Date: Sat Apr 15 2017 - 12:53:43 EST


On 2017-04-15 07:52, Axel Lin wrote:
> The commit "regulator: rn5t618: Add RN5T567 PMIC support" added
> RN5T618_DCDC4 to the enum, then RN5T618_REG_NUM is also changed.
> So for rn5t618, there is out of bounds array access when checking
> regulators[i].name in the for loop.

I use designated initializers ([RN5T618_##rid] = {..), which guarantee
that the non initialized elements are zero. The highest element LDORTC2
is defined, hence the length of the array should be RN5T618_REG_NUM.

See also
https://gcc.gnu.org/onlinedocs/gcc/Designated-Inits.html

--
Stefan


>
> The number of regulators is different for rn5t567 and rn5t618, so we had
> better remove RN5T618_REG_NUM and get the correct num_regulators during
> probe instead.
>
> Fixes: ed6d362d8dbc ("regulator: rn5t618: Add RN5T567 PMIC support")
> Signed-off-by: Axel Lin <axel.lin@xxxxxxxxxx>
> ---
> RESEND: Correct subject line (remove double Fix)
>
> drivers/regulator/rn5t618-regulator.c | 8 ++++----
> include/linux/mfd/rn5t618.h | 1 -
> 2 files changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/regulator/rn5t618-regulator.c
> b/drivers/regulator/rn5t618-regulator.c
> index 8d2819e..0c09143 100644
> --- a/drivers/regulator/rn5t618-regulator.c
> +++ b/drivers/regulator/rn5t618-regulator.c
> @@ -85,14 +85,17 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
> struct regulator_config config = { };
> struct regulator_dev *rdev;
> struct regulator_desc *regulators;
> + int num_regulators;
> int i;
>
> switch (rn5t618->variant) {
> case RN5T567:
> regulators = rn5t567_regulators;
> + num_regulators = ARRAY_SIZE(rn5t567_regulators);
> break;
> case RN5T618:
> regulators = rn5t618_regulators;
> + num_regulators = ARRAY_SIZE(rn5t618_regulators);
> break;
> default:
> return -EINVAL;
> @@ -101,10 +104,7 @@ static int rn5t618_regulator_probe(struct
> platform_device *pdev)
> config.dev = pdev->dev.parent;
> config.regmap = rn5t618->regmap;
>
> - for (i = 0; i < RN5T618_REG_NUM; i++) {
> - if (!regulators[i].name)
> - continue;
> -
> + for (i = 0; i < num_regulators; i++) {
> rdev = devm_regulator_register(&pdev->dev,
> &regulators[i],
> &config);
> diff --git a/include/linux/mfd/rn5t618.h b/include/linux/mfd/rn5t618.h
> index e5a6cde..d7b3155 100644
> --- a/include/linux/mfd/rn5t618.h
> +++ b/include/linux/mfd/rn5t618.h
> @@ -233,7 +233,6 @@ enum {
> RN5T618_LDO5,
> RN5T618_LDORTC1,
> RN5T618_LDORTC2,
> - RN5T618_REG_NUM,
> };
>
> enum {