From: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Date: Thu, 29 Sep 2022 22:27:06 +0000 (+0000)
Subject: regmap: fix range checks
X-Git-Tag: v2023.07~308^2~20
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=947d4f132b4d67a0d15859b354ed3fc71410105b;p=platform%2Fkernel%2Fu-boot.git

regmap: fix range checks

On the 32bit ARM sandbox 'dm ut dm_test_devm_regmap' fails with an abort.
This is due to incorrect range checks.

On 32-bit systems the size of size_t and int is both 32 bit. The expression
(offset + val_len) is bound to overflow if offset == -1. Add an overflow
check.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
---

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index 5f98f85..5ccbf9a 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -399,7 +399,7 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset,
 	range = &map->ranges[range_num];
 
 	offset <<= map->reg_offset_shift;
-	if (offset + val_len > range->size) {
+	if (offset + val_len > range->size || offset + val_len < offset) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}
@@ -538,7 +538,7 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset,
 	range = &map->ranges[range_num];
 
 	offset <<= map->reg_offset_shift;
-	if (offset + val_len > range->size) {
+	if (offset + val_len > range->size || offset + val_len < offset) {
 		debug("%s: offset/size combination invalid\n", __func__);
 		return -ERANGE;
 	}