[v2] gpio: sim: fix memory corruption when adding named lines and unnamed hogs

Message ID 20230606120034.42904-1-warthog618@gmail.com
State New
Headers
Series [v2] gpio: sim: fix memory corruption when adding named lines and unnamed hogs |

Commit Message

Kent Gibson June 6, 2023, noon UTC
  When constructing the sim, gpio-sim constructs an array of named lines,
sized based on the largest offset of any named line, and then initializes
that array with the names of all lines, including unnamed hogs with higher
offsets.  In doing so it writes NULLs beyond the extent of the array.

Add a check that only named lines are used to initialize the array.

Fixes: cb8c474e79be ("gpio: sim: new testing module")
Signed-off-by: Kent Gibson<warthog618@gmail.com>
---

changes v1 -> v2:
 - check offset as well to make the purpose of the check clearer

 drivers/gpio/gpio-sim.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)
  

Comments

Bartosz Golaszewski June 6, 2023, 2:55 p.m. UTC | #1
On Tue, Jun 6, 2023 at 2:01 PM Kent Gibson <warthog618@gmail.com> wrote:
>
> When constructing the sim, gpio-sim constructs an array of named lines,
> sized based on the largest offset of any named line, and then initializes
> that array with the names of all lines, including unnamed hogs with higher
> offsets.  In doing so it writes NULLs beyond the extent of the array.
>
> Add a check that only named lines are used to initialize the array.
>
> Fixes: cb8c474e79be ("gpio: sim: new testing module")
> Signed-off-by: Kent Gibson<warthog618@gmail.com>
> ---
>
> changes v1 -> v2:
>  - check offset as well to make the purpose of the check clearer
>
>  drivers/gpio/gpio-sim.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c
> index e5dfd636c63c..09aa0b64859b 100644
> --- a/drivers/gpio/gpio-sim.c
> +++ b/drivers/gpio/gpio-sim.c
> @@ -721,8 +721,10 @@ static char **gpio_sim_make_line_names(struct gpio_sim_bank *bank,
>         if (!line_names)
>                 return ERR_PTR(-ENOMEM);
>
> -       list_for_each_entry(line, &bank->line_list, siblings)
> -               line_names[line->offset] = line->name;
> +       list_for_each_entry(line, &bank->line_list, siblings) {
> +               if (line->name && (line->offset <= max_offset))
> +                       line_names[line->offset] = line->name;
> +       }
>
>         return line_names;
>  }
> --
> 2.40.1
>

Thanks for figuring that out, queued for fixes.

Bart
  

Patch

diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c
index e5dfd636c63c..09aa0b64859b 100644
--- a/drivers/gpio/gpio-sim.c
+++ b/drivers/gpio/gpio-sim.c
@@ -721,8 +721,10 @@  static char **gpio_sim_make_line_names(struct gpio_sim_bank *bank,
 	if (!line_names)
 		return ERR_PTR(-ENOMEM);
 
-	list_for_each_entry(line, &bank->line_list, siblings)
-		line_names[line->offset] = line->name;
+	list_for_each_entry(line, &bank->line_list, siblings) {
+		if (line->name && (line->offset <= max_offset))
+			line_names[line->offset] = line->name;
+	}
 
 	return line_names;
 }