From: Pratyush Yadav Date: Tue, 26 May 2020 12:05:57 +0000 (+0530) Subject: regmap: Check for out-of-range offsets before mapping them X-Git-Tag: v2020.10~139^2~14^2~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=b59889bf344dd261b50d69a5eacfa2874573c7cd;p=platform%2Fkernel%2Fu-boot.git regmap: Check for out-of-range offsets before mapping them In regmap_raw_{read,write}_range(), offsets are checked to make sure they aren't out of range. But this check happens _after_ the address is mapped from physical memory. Input should be sanity-checked before using it. Mapping the address before validating it leaves the door open to passing an invalid address to map_physmem(). So check for out of range offsets _before_ mapping them. This fixes a segmentation fault in sandbox when -1 is used as an offset to regmap_{read,write}(). Signed-off-by: Pratyush Yadav --- diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c index 4a214ef..a67a237 100644 --- a/drivers/core/regmap.c +++ b/drivers/core/regmap.c @@ -310,13 +310,13 @@ int regmap_raw_read_range(struct regmap *map, uint range_num, uint offset, } range = &map->ranges[range_num]; - ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE); - if (offset + val_len > range->size) { debug("%s: offset/size combination invalid\n", __func__); return -ERANGE; } + ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE); + switch (val_len) { case REGMAP_SIZE_8: *((u8 *)valp) = __read_8(ptr, map->endianness); @@ -419,13 +419,13 @@ int regmap_raw_write_range(struct regmap *map, uint range_num, uint offset, } range = &map->ranges[range_num]; - ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE); - if (offset + val_len > range->size) { debug("%s: offset/size combination invalid\n", __func__); return -ERANGE; } + ptr = map_physmem(range->start + offset, val_len, MAP_NOCACHE); + switch (val_len) { case REGMAP_SIZE_8: __write_8(ptr, val, map->endianness);