[PATCH] platform/chrome: cros_ec: fix read overflow in cros_ec_lpc_readmem()

From: Dan Carpenter
Date: Thu Dec 09 2021 - 09:37:30 EST

Next message: Christian Brauner: "Re: [PATCH v5 15/16] ima: Move dentries into ima_namespace"
Previous message: Andy Shevchenko: "[PATCH v1 2/3] ata: sata_dwc_460ex: Use temporary variable for struct device"
Next in thread: Guenter Roeck: "Re: [PATCH] platform/chrome: cros_ec: fix read overflow in cros_ec_lpc_readmem()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
bytes" is a very high unsigned value and basically offset is
accepted. The second problem is that it uses >= instead of > so this
means that we are not able to read the very last byte.

Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
index d6306d2a096f..7e1d175def9f 100644
--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
char *s = dest;
int cnt = 0;

- if (offset >= EC_MEMMAP_SIZE - bytes)
+ if (offset > EC_MEMMAP_SIZE ||
+ bytes > EC_MEMMAP_SIZE - offset)
return -EINVAL;

/* fixed length */
--
2.20.1

Next message: Christian Brauner: "Re: [PATCH v5 15/16] ima: Move dentries into ima_namespace"
Previous message: Andy Shevchenko: "[PATCH v1 2/3] ata: sata_dwc_460ex: Use temporary variable for struct device"
Next in thread: Guenter Roeck: "Re: [PATCH] platform/chrome: cros_ec: fix read overflow in cros_ec_lpc_readmem()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]