Commit be68b7e1 authored by Dan Carpenter's avatar Dan Carpenter Committed by Khalid Elmously

staging: comedi: verify array index is correct before using it

BugLink: https://bugs.launchpad.net/bugs/1888690

[ Upstream commit ef75e14a ]

This code reads from the array before verifying that "trig" is a valid
index.  If the index is wildly out of bounds then reading from an
invalid address could lead to an Oops.

Fixes: a8c66b68 ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarIan Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20200709102936.GA20875@mwandaSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent 3e774fc3
...@@ -465,9 +465,9 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev, ...@@ -465,9 +465,9 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev,
unsigned int lo_mask = data[5] << shift; unsigned int lo_mask = data[5] << shift;
unsigned int chan_mask = hi_mask | lo_mask; unsigned int chan_mask = hi_mask | lo_mask;
unsigned int old_mask = (1 << shift) - 1; unsigned int old_mask = (1 << shift) - 1;
unsigned int pm = devpriv->pm[trig] & old_mask; unsigned int pm;
unsigned int pt = devpriv->pt[trig] & old_mask; unsigned int pt;
unsigned int pp = devpriv->pp[trig] & old_mask; unsigned int pp;
if (trig > 1) { if (trig > 1) {
dev_dbg(dev->class_dev, dev_dbg(dev->class_dev,
...@@ -480,6 +480,10 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev, ...@@ -480,6 +480,10 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev,
return -EINVAL; return -EINVAL;
} }
pm = devpriv->pm[trig] & old_mask;
pt = devpriv->pt[trig] & old_mask;
pp = devpriv->pp[trig] & old_mask;
switch (data[2]) { switch (data[2]) {
case COMEDI_DIGITAL_TRIG_DISABLE: case COMEDI_DIGITAL_TRIG_DISABLE:
/* clear trigger configuration */ /* clear trigger configuration */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment