drivers: richtek: fix write-out-of-bounds in rt_regmap_cache_init()

KASAN warns about a write-out-of-bounds in rt_regmap_cache_init():

	if (!rd->props.group) {
		rd->props.group = devm_kzalloc(&rd->dev,
				sizeof(rd->props.group), GFP_KERNEL);   <- allocated here
		rd->props.group[0].start = 0x00;
		rd->props.group[0].end = 0xffff;
		rd->props.group[0].mode = RT_1BYTE_MODE;                <- written here
	}

The devm_kzalloc() call a few lines above is accidentally requesting
enough space to store a pointer type, which isn't enough space to hold
the struct itself.

Change-Id: I0036262b3129bd86d2e8612fb9b67a848bbb4ead
Signed-off-by: Greg Hackmann <ghackmann@google.com>

diff --git a/drivers/usb/pd/richtek/rt-regmap.c b/drivers/usb/pd/richtek/rt-regmap.c
index 413ccdf25076a3137cc359673b647e840afe0592..db396dce5889336e452a067e33fc5d087dbdb3cf 100644 (file)
--- a/drivers/usb/pd/richtek/rt-regmap.c
+++ b/drivers/usb/pd/richtek/rt-regmap.c
@@ -1084,7 +1084,7 @@ int rt_regmap_cache_init(struct rt_regmap_device *rd)
 
        if (!rd->props.group) {
                rd->props.group = devm_kzalloc(&rd->dev,
-                               sizeof(rd->props.group), GFP_KERNEL);
+                               sizeof(*rd->props.group), GFP_KERNEL);
                rd->props.group[0].start = 0x00;
                rd->props.group[0].end = 0xffff;
                rd->props.group[0].mode = RT_1BYTE_MODE;