OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/drivers/spi
History
Ian Abbott f53d31162a spi: spidev: fix possible arithmetic overflow for multi-transfer message 
commit f20fbaad76 upstream.

`spidev_message()` sums the lengths of the individual SPI transfers to
determine the overall SPI message length.  It restricts the total
length, returning an error if too long, but it does not check for
arithmetic overflow.  For example, if the SPI message consisted of two
transfers and the first has a length of 10 and the second has a length
of (__u32)(-1), the total length would be seen as 9, even though the
second transfer is actually very long.  If the second transfer specifies
a null `rx_buf` and a non-null `tx_buf`, the `copy_from_user()` could
overrun the spidev's pre-allocated tx buffer before it reaches an
invalid user memory address.  Fix it by checking that neither the total
nor the individual transfer lengths exceed the maximum allowed value.

Thanks to Dan Carpenter for reporting the potential integer overflow.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2015-05-06 21:59:10 +02:00
..
Kconfig spi: rspi: Document support for Renesas QSPI in Kconfig 2014-02-04 19:22:30 +00:00
Makefile spi: bcm63xx-hsspi: add bcm63xx HSSPI driver 2013-12-04 13:29:13 +00:00
spi-altera.c spi: altera: Remove unneeded NULL checking for hw->bitbang.master 2014-01-13 10:12:45 +00:00
spi-ath79.c spi: spi-ath79: fix initial GPIO CS line setup 2014-03-03 12:38:52 +08:00
spi-atmel.c spi: atmel: Fix interrupt setup for PDC transfers 2015-03-26 15:06:54 +01:00
spi-au1550.c Merge remote-tracking branch 'spi/topic/probe' into spi-next 2013-10-25 09:51:36 +01:00
spi-bcm63xx-hsspi.c spi/bcm63xx-hsspi: fix pm sleep support 2013-12-17 22:32:17 +00:00
spi-bcm63xx.c Merge remote-tracking branches 'spi/topic/bcm2835', 'spi/topic/bcm63xx', 'spi/topic/bcm63xx-hsspi', 'spi/topic/bitbang', 'spi/topic/bpw', 'spi/topic/clps711x', 'spi/topic/coldfire', 'spi/topic/davinci', 'spi/topic/dw' and 'spi/topic/falcon' into spi-linus 2014-01-23 13:07:05 +00:00
spi-bcm2835.c spi: bcm2835: Use devm_request_irq() 2013-12-17 22:58:18 +00:00
spi-bfin-sport.c Merge remote-tracking branch 'spi/topic/bfin' into spi-next 2013-10-25 09:51:21 +01:00
spi-bfin-v3.c spi: bfin-v3: use devm_spi_register_master() 2013-09-26 11:42:23 +01:00
spi-bfin5xx.c Merge remote-tracking branch 'spi/topic/bfin' into spi-next 2013-10-25 09:51:21 +01:00
spi-bitbang-txrx.h spi: bitbang: Grammar s/make to make/to make/ 2014-01-13 11:24:21 +00:00
spi-bitbang.c spi: bitbang: Fix checkpatch issue 2013-10-14 18:23:48 +01:00
spi-butterfly.c Merge remote-tracking branch 'spi/topic/butterfly' into spi-next 2013-10-25 09:51:23 +01:00
spi-clps711x.c spi: clps711x: Add MODULE_ALIAS to support module auto-loading 2014-01-14 14:21:43 +00:00
spi-coldfire-qspi.c spi: coldfire-qspi: Fix getting correct address for *mcfqspi 2014-03-05 11:53:08 +08:00
spi-davinci.c Merge remote-tracking branches 'spi/topic/bcm2835', 'spi/topic/bcm63xx', 'spi/topic/bcm63xx-hsspi', 'spi/topic/bitbang', 'spi/topic/bpw', 'spi/topic/clps711x', 'spi/topic/coldfire', 'spi/topic/davinci', 'spi/topic/dw' and 'spi/topic/falcon' into spi-linus 2014-01-23 13:07:05 +00:00
spi-dw-mid.c spi: dw-mid: fix FIFO size 2015-02-05 22:35:48 -08:00
spi-dw-mmio.c spi: dw-mmio: prepare the clock before enabling 2013-12-31 12:30:22 +00:00
spi-dw-pci.c spi: dw-pci: fix bug when regs left uninitialized 2014-10-05 14:52:16 -07:00
spi-dw.c spi: dw: Fix dynamic speed change. 2014-12-06 15:55:38 -08:00
spi-dw.h spi: dw: use managed resources 2013-12-31 12:30:18 +00:00
spi-efm32.c spi: efm32: use $vendor,$device scheme for compatible string 2014-05-06 07:59:24 -07:00
spi-ep93xx.c Merge remote-tracking branch 'spi/topic/bfin' into spi-next 2013-10-25 09:51:21 +01:00
spi-falcon.c spi: falcon: Use devm_spi_register_master() 2013-12-04 12:54:52 +00:00
spi-fsl-cpm.c DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
spi-fsl-cpm.h spi/spi-fsl-spi: Make driver usable in CPU mode outside of an FSL_SOC environment 2013-04-07 10:07:54 +01:00
spi-fsl-dspi.c spi: fsl-dspi: Fix CTAR selection 2014-11-14 09:00:05 -08:00
spi-fsl-espi.c spi/fsl-espi: Add Power Management support for eSPI controller 2013-12-12 11:50:02 +00:00
spi-fsl-lib.c spi: use dev_get_platdata() 2013-08-29 13:56:23 +01:00
spi-fsl-lib.h spi/spi-fsl-spi: Add support for gpio chipselects for GRLIB type cores 2013-04-07 10:07:57 +01:00
spi-fsl-spi.c spi: fsl: Fix problem with multi message transfers 2015-01-16 06:59:34 -08:00
spi-fsl-spi.h spi/spi-fsl-spi: Add support for Aeroflex Gaisler GRLIB cores normally running on SPARC 2013-04-07 10:07:56 +01:00
spi-gpio.c spi: spi-gpio: Use 'cansleep' variants to access GPIO 2013-11-24 14:12:36 +00:00
spi-imx.c spi: spi-imx: spi_imx_remove: do not disable disabled clocks 2014-02-28 15:14:54 +09:00
spi-lm70llp.c spi: bitbang: Let spi_bitbang_start() take a reference to master 2013-10-07 14:50:43 +01:00
spi-mpc52xx-psc.c spi: Don't break user-visible strings to multiple source lines in drivers 2013-10-16 19:07:15 +01:00
spi-mpc52xx.c spi: use platform_{get,set}_drvdata() 2013-05-23 09:09:55 -05:00
spi-mpc512x-psc.c Merge remote-tracking branch 'agust/next' into next 2014-01-29 16:53:55 +11:00
spi-mxs.c spi: Remove duplicate code to set default bits_per_word setting 2014-01-17 15:54:22 +00:00
spi-nuc900.c spi: nuc900: Set SPI_LSB_FIRST for master->mode_bits if hw->pdata->lsb is true 2014-02-04 20:32:58 +00:00
spi-oc-tiny.c spi: oc-tiny: Simplify tiny_spi_txrx_bufs implementation when irq is not used 2014-01-09 17:58:28 +00:00
spi-octeon.c spi: octeon: use devm_spi_register_master() 2013-09-26 11:42:34 +01:00
spi-omap-100k.c spi: omap-100k: remove pointless _remove function 2013-12-02 17:35:54 +00:00
spi-omap-uwire.c spi: spi-omap-uwire: replace platform_driver_probe to support deferred probing 2013-10-09 12:07:50 +01:00
spi-omap2-mcspi.c spi/omap-mcspi: Fix the spi task hangs waiting dma_rx 2014-10-05 14:52:15 -07:00
spi-orion.c spi: orion: fix incorrect handling of cell-index DT property 2014-09-17 09:19:07 -07:00
spi-pl022.c spi: pl022: Fix race in giveback() leading to driver lock-up 2015-03-26 15:06:54 +01:00
spi-ppc4xx.c DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
spi-pxa2xx-dma.c Merge remote-tracking branch 'spi/topic/pxa' into spi-next 2013-06-26 16:21:03 +01:00
spi-pxa2xx-pci.c spi: remove DEFINE_PCI_DEVICE_TABLE macro 2013-12-03 18:03:26 +00:00
spi-pxa2xx-pxadma.c spi/pxa2xx: break out the private DMA API usage into a separate file 2013-02-08 12:15:21 +00:00
spi-pxa2xx.c spi/pxa2xx: Clear cur_chip pointer before starting next message 2015-02-05 22:35:50 -08:00
spi-pxa2xx.h spi/pxa2xx: add support for Intel Low Power Subsystem SPI 2013-02-08 13:14:40 +00:00
spi-rspi.c Merge commit 'spi/fix/rcar' into spi-linus 2014-01-23 13:13:30 +00:00
spi-s3c24xx-fiq.S spi: reorganize drivers 2011-06-06 01:16:30 -06:00
spi-s3c24xx-fiq.h spi: reorganize drivers 2011-06-06 01:16:30 -06:00
spi-s3c24xx.c spi: s3c24xx: Remove reference to plat/fiq.h 2014-01-08 13:06:21 +00:00
spi-s3c64xx.c spi/s3c64xx: Correct indentation 2014-01-13 11:30:41 +00:00
spi-sc18is602.c Merge commit 'spi/topic/sc18is602' into spi-linus 2014-01-23 13:14:15 +00:00
spi-sh-hspi.c Merge remote-tracking branches 'spi/topic/fsl-espi', 'spi/topic/gpio', 'spi/topic/hspi', 'spi/topic/mpc512x', 'spi/topic/msiof', 'spi/topic/nuc900', 'spi/topic/oc-tiny', 'spi/topic/omap', 'spi/topic/orion' and 'spi/topic/pci' into spi-linus 2014-01-23 13:07:09 +00:00
spi-sh-msiof.c Merge remote-tracking branches 'spi/topic/fsl-espi', 'spi/topic/gpio', 'spi/topic/hspi', 'spi/topic/mpc512x', 'spi/topic/msiof', 'spi/topic/nuc900', 'spi/topic/oc-tiny', 'spi/topic/omap', 'spi/topic/orion' and 'spi/topic/pci' into spi-linus 2014-01-23 13:07:09 +00:00
spi-sh-sci.c spi: bitbang: Let spi_bitbang_start() take a reference to master 2013-10-07 14:50:43 +01:00
spi-sh.c Merge remote-tracking branches 'spi/topic/pxa2xx', 'spi/topic/qspi', 'spi/topic/s3c24xx', 'spi/topic/s3c64xx', 'spi/topic/sh', 'spi/topic/tegra114', 'spi/topic/tegra20-sflash', 'spi/topic/tegra20-slink', 'spi/topic/txx9' and 'spi/topic/xcomm' into spi-linus 2014-01-23 13:07:14 +00:00
spi-sirf.c spi: Remove duplicate code to set default bits_per_word setting 2014-01-17 15:54:22 +00:00
spi-tegra20-sflash.c spi: Updates for v3.14 2014-01-25 13:20:36 -08:00
spi-tegra20-slink.c spi: Updates for v3.14 2014-01-25 13:20:36 -08:00
spi-tegra114.c spi: Updates for v3.14 2014-01-25 13:20:36 -08:00
spi-ti-qspi.c Merge remote-tracking branches 'spi/topic/pxa2xx', 'spi/topic/qspi', 'spi/topic/s3c24xx', 'spi/topic/s3c64xx', 'spi/topic/sh', 'spi/topic/tegra114', 'spi/topic/tegra20-sflash', 'spi/topic/tegra20-slink', 'spi/topic/txx9' and 'spi/topic/xcomm' into spi-linus 2014-01-23 13:07:14 +00:00
spi-ti-ssp.c spi: use dev_get_platdata() 2013-08-29 13:56:23 +01:00
spi-tle62x0.c Merge remote-tracking branch 'spi/topic/tel62x0' into spi-next 2013-09-01 13:49:14 +01:00
spi-topcliff-pch.c spi-topcliff-pch: Fix probing when DMA mode is used 2014-02-27 13:37:10 +09:00
spi-txx9.c Merge remote-tracking branches 'spi/topic/pxa2xx', 'spi/topic/qspi', 'spi/topic/s3c24xx', 'spi/topic/s3c64xx', 'spi/topic/sh', 'spi/topic/tegra114', 'spi/topic/tegra20-sflash', 'spi/topic/tegra20-slink', 'spi/topic/txx9' and 'spi/topic/xcomm' into spi-linus 2014-01-23 13:07:14 +00:00
spi-xcomm.c spi: xcomm: Use devm_spi_register_master() 2013-12-04 12:52:30 +00:00
spi-xilinx.c tree-wide: use reinit_completion instead of INIT_COMPLETION 2013-11-15 09:32:21 +09:00
spi.c spi: trigger trace event for message-done before mesg->complete 2015-04-13 14:03:03 +02:00
spidev.c spi: spidev: fix possible arithmetic overflow for multi-transfer message 2015-05-06 21:59:10 +02:00