forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/spi
History
Ian Abbott 14a1fe5de9 spi: spidev: fix possible arithmetic overflow for multi-transfer message 
commit f20fbaad76 upstream.

`spidev_message()` sums the lengths of the individual SPI transfers to
determine the overall SPI message length.  It restricts the total
length, returning an error if too long, but it does not check for
arithmetic overflow.  For example, if the SPI message consisted of two
transfers and the first has a length of 10 and the second has a length
of (__u32)(-1), the total length would be seen as 9, even though the
second transfer is actually very long.  If the second transfer specifies
a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could
overrun the spidev's pre-allocated tx buffer before it reaches an
invalid user memory address.  Fix it by checking that neither the total
nor the individual transfer lengths exceed the maximum allowed value.

Thanks to Dan Carpenter for reporting the potential integer overflow.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-05-06 21:56:21 +02:00
..
Kconfig Removal of GENERIC_GPIO for v3.10 2013-05-09 09:59:16 -07:00
Makefile spi/tegra114: add spi driver 2013-04-07 10:08:00 +01:00
spi-altera.c spi: remove check for bits_per_word on transfer from low level driver 2013-02-05 12:26:59 +00:00
spi-ath79.c spi: spi-ath79: fix initial GPIO CS line setup 2014-03-23 21:38:16 -07:00
spi-atmel.c Merge remote-tracking branch 'spi/fix/grant' into spi-linus 2013-05-13 18:27:18 +04:00
spi-au1550.c spi: Remove erroneous __init, __exit and __exit_p() references in drivers 2013-02-05 14:43:16 +00:00
spi-bcm63xx.c spi/bcm63xx: don't substract prepend length from total length 2014-02-13 13:48:01 -08:00
spi-bcm2835.c spi: bcm2835: make use of new bits_per_word_mask core feature 2013-04-01 14:14:33 +01:00
spi-bfin-sport.c spi: remove check for bits_per_word on transfer from low level driver 2013-02-05 12:26:59 +00:00
spi-bfin5xx.c spi: Remove erroneous __init, __exit and __exit_p() references in drivers 2013-02-05 14:43:16 +00:00
spi-bitbang-txrx.h spi: reorganize drivers 2011-06-06 01:16:30 -06:00
spi-bitbang.c Merge branch 'broonie/spi-next' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/misc.git 2013-02-05 12:30:13 +00:00
spi-butterfly.c spi: Add module.h to implicit users in drivers/spi 2011-10-31 19:32:17 -04:00
spi-clps711x.c spi: remove check for bits_per_word on transfer from low level driver 2013-02-05 12:26:59 +00:00
spi-coldfire-qspi.c spi: remove check for bits_per_word on transfer from low level driver 2013-02-05 12:26:59 +00:00
spi-davinci.c spi: spi-davinci: Fix direction in dma_map_single() 2013-08-11 18:35:25 -07:00
spi-dw-mid.c spi: dw-mid: fix FIFO size 2015-02-05 22:35:36 -08:00
spi-dw-mmio.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-dw-pci.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-dw.c spi: dw: Fix dynamic speed change. 2014-12-06 15:05:49 -08:00
spi-dw.h spi: spi-dw: fix all sparse warnings 2011-09-21 09:41:48 -06:00
spi-ep93xx.c Driver core patches for 3.9-rc1 2013-02-21 12:05:51 -08:00
spi-falcon.c spi/mips-lantiq: set SPI_MASTER_HALF_DUPLEX flag 2013-02-05 17:16:55 +00:00
spi-fsl-cpm.c spi/spi-fsl-spi: Make driver usable in CPU mode outside of an FSL_SOC environment 2013-04-07 10:07:54 +01:00
spi-fsl-cpm.h spi/spi-fsl-spi: Make driver usable in CPU mode outside of an FSL_SOC environment 2013-04-07 10:07:54 +01:00
spi-fsl-espi.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-fsl-lib.c spi/spi-fsl-spi: Make driver usable in CPU mode outside of an FSL_SOC environment 2013-04-07 10:07:54 +01:00
spi-fsl-lib.h spi/spi-fsl-spi: Add support for gpio chipselects for GRLIB type cores 2013-04-07 10:07:57 +01:00
spi-fsl-spi.c spi/spi-fsl-spi: Add support for gpio chipselects for GRLIB type cores 2013-04-07 10:07:57 +01:00
spi-fsl-spi.h spi/spi-fsl-spi: Add support for Aeroflex Gaisler GRLIB cores normally running on SPARC 2013-04-07 10:07:56 +01:00
spi-gpio.c spi-gpio: init CS before spi_bitbang_setup() 2013-04-10 14:47:09 +01:00
spi-imx.c spi/imx: Add MODULE_ALIAS() 2013-02-05 13:17:12 +00:00
spi-lm70llp.c spi: By default setup spi_masters with 1 chipselect and dynamics bus number 2012-05-19 23:42:08 -06:00
spi-mpc52xx-psc.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-mpc52xx.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-mpc512x-psc.c spi: spi-mpc512x-psc: let transmiter/receiver enabled when in xfer loop 2013-04-09 17:53:39 +01:00
spi-mxs.c ARM: arm-soc device tree changes, part 2 2013-05-07 11:06:17 -07:00
spi-nuc900.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-oc-tiny.c spi: spi-oc-tiny: Use of_match_ptr() macro 2013-04-01 14:27:09 +01:00
spi-octeon.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-omap-100k.c spi: Remove erroneous __init, __exit and __exit_p() references in drivers 2013-02-05 14:43:16 +00:00
spi-omap-uwire.c spi: Remove erroneous __init, __exit and __exit_p() references in drivers 2013-02-05 14:43:16 +00:00
spi-omap2-mcspi.c spi: omap2-mcspi: Configure hardware when slave driver changes mode 2014-09-17 09:03:57 -07:00
spi-orion.c spi: orion: fix incorrect handling of cell-index DT property 2014-09-17 09:03:57 -07:00
spi-pl022.c spi: pl022: Fix race in giveback() leading to driver lock-up 2015-03-26 15:00:58 +01:00
spi-ppc4xx.c Device tree changes for v3.9 2013-02-20 11:04:46 -08:00
spi-pxa2xx-dma.c spi/pxa2xx: use GFP_ATOMIC in sg table allocation 2013-06-18 19:11:04 +01:00
spi-pxa2xx-pci.c spi/pxa2xx-pci: correct the return value check of pcim_iomap_regions() 2013-03-12 18:30:56 +00:00
spi-pxa2xx-pxadma.c spi/pxa2xx: break out the private DMA API usage into a separate file 2013-02-08 12:15:21 +00:00
spi-pxa2xx.c spi/pxa2xx: Clear cur_chip pointer before starting next message 2015-02-05 22:35:37 -08:00
spi-pxa2xx.h spi/pxa2xx: add support for Intel Low Power Subsystem SPI 2013-02-08 13:14:40 +00:00
spi-rspi.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-s3c24xx-fiq.h spi: reorganize drivers 2011-06-06 01:16:30 -06:00
spi-s3c24xx-fiq.S spi: reorganize drivers 2011-06-06 01:16:30 -06:00
spi-s3c24xx.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-s3c64xx.c spi: s3c64xx: Fix pm_runtime_get_sync() return value check 2013-06-10 18:04:00 +01:00
spi-sc18is602.c spi/sc18is602: Return -EINVAL for probe failures due to I2C function mismatch 2012-08-23 12:13:54 +01:00
spi-sh-hspi.c spi: hspi: fixup long delay time 2013-06-04 18:51:40 +01:00
spi-sh-msiof.c spi: spi-sh-msiof: Use of_match_ptr() macro 2013-04-01 14:27:14 +01:00
spi-sh-sci.c spi: Add module.h to implicit users in drivers/spi 2011-10-31 19:32:17 -04:00
spi-sh.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-sirf.c spi/sirf: fix MODULE_DEVICE_TABLE 2013-04-23 19:27:00 +01:00
spi-tegra20-sflash.c drivers/spi: don't check resource with devm_ioremap_resource 2013-05-18 11:57:24 +02:00
spi-tegra20-slink.c spi: tegra: slink: make local symbols static 2013-04-08 13:41:34 +01:00
spi-tegra114.c spi/tegra114: add spi driver 2013-04-07 10:08:00 +01:00
spi-ti-ssp.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-tle62x0.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-topcliff-pch.c spi: topcliff-pch: fix error return code in pch_spi_probe() 2013-05-22 11:08:36 -05:00
spi-txx9.c spi: Remove erroneous __init, __exit and __exit_p() references in drivers 2013-02-05 14:43:16 +00:00
spi-xcomm.c spi: Remove HOTPLUG section attributes 2012-12-07 17:06:43 +00:00
spi-xilinx.c spi: spi-xilinx: Remove ISR race condition 2013-06-04 18:32:19 +01:00
spi.c spi: Fix crash with double message finalisation on error handling 2014-02-22 12:41:26 -08:00
spidev.c spi: spidev: fix possible arithmetic overflow for multi-transfer message 2015-05-06 21:56:21 +02:00