Hi Anton, I have not thought this driver should be loaded for any malicious device. Anyway we will update it.
Regards, James > -----Original Message----- > From: Anton Vasilyev [mailto:vasil...@ispras.ru] > Sent: Wednesday, August 02, 2017 1:06 AM > To: James Seong-Won Ban > Cc: Liam Girdwood; Mark Brown; linux-kernel@vger.kernel.org; ldv- > proj...@linuxtesting.org > Subject: Buffer overread in pv88090-regulator.ko > > Hello. > > While searching for memory errors in Linux kernel I've come across > drivers/regulator/pv88090-regulator.ko module. > > Buffer overread could occur at pv88090_i2c_probe(): > > If read from malicious device such values for conf2 and range (e.g. 0x10000000 > and 0x1000 for PV88090_ID_BUCK2) that > conf2 = (conf2 >> PV88090_BUCK_VDAC_RANGE_SHIFT) & > PV88090_BUCK_VDAC_RANGE_MASK; and > range = (range >> > (PV88080_BUCK_VRANGE_GAIN_SHIFT + i - 1)) & > PV88080_BUCK_VRANGE_GAIN_MASK; become 1 then > index = ((range << 1) | conf2); become 3, but index is used for > dereference pv88090_buck_vol[3]. > > Should be index=3 considered as incorrect value and pv88090_i2c_probe() must > return error, or pv88090_buck_vol[] should be expanded? > > Found by Linux Driver Verification project (linuxtesting.org). > > -- > Anton Vasilyev > Linux Verification Center, ISPRAS > web: http://linuxtesting.org > e-mail: vasil...@ispras.ru
