From efc6aa53ca49b6d2b13875e021d2599de0b9fc38 Mon Sep 17 00:00:00 2001 From: Subbaraman Narayanamurthy Date: Tue, 17 Jan 2017 20:31:42 -0800 Subject: regulator: qpnp-labibb: fix an out of bounds access Number of elements in ibb_pwrup_dly_table is 4. An out of bounds access can be made if value read from IBB_PWRUP_PWRDN_CTL_1 register is larger than 3 as the DLY1 value is not shifted. Fix it. CRs-Fixed: 1112706 Change-Id: I40783a9c87d1e390a514b84743379c57f488f299 Signed-off-by: Subbaraman Narayanamurthy --- drivers/regulator/qpnp-labibb-regulator.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/drivers/regulator/qpnp-labibb-regulator.c b/drivers/regulator/qpnp-labibb-regulator.c index 8dbe3080873c..67b97256da1f 100644 --- a/drivers/regulator/qpnp-labibb-regulator.c +++ b/drivers/regulator/qpnp-labibb-regulator.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -3331,7 +3331,7 @@ static int register_qpnp_ibb_regulator(struct qpnp_labibb *labibb, struct regulator_init_data *init_data; struct regulator_desc *rdesc = &labibb->ibb_vreg.rdesc; struct regulator_config cfg = {}; - u8 val, ibb_enable_ctl; + u8 val, ibb_enable_ctl, index; u32 tmp; if (!of_node) { @@ -3460,11 +3460,11 @@ static int register_qpnp_ibb_regulator(struct qpnp_labibb *labibb, return rc; } - labibb->ibb_vreg.pwrup_dly = ibb_pwrup_dly_table[ - (val & - IBB_PWRUP_PWRDN_CTL_1_DLY1_MASK)]; - labibb->ibb_vreg.pwrdn_dly = ibb_pwrdn_dly_table[val & - IBB_PWRUP_PWRDN_CTL_1_DLY2_MASK]; + index = (val & IBB_PWRUP_PWRDN_CTL_1_DLY1_MASK) >> + IBB_PWRUP_PWRDN_CTL_1_DLY1_SHIFT; + labibb->ibb_vreg.pwrup_dly = ibb_pwrup_dly_table[index]; + index = val & IBB_PWRUP_PWRDN_CTL_1_DLY2_MASK; + labibb->ibb_vreg.pwrdn_dly = ibb_pwrdn_dly_table[index]; labibb->ibb_vreg.vreg_enabled = 1; } else { -- cgit v1.2.3