The strings passed in DT may possibly cause out-of-bounds register
accesses and should be validated before use.
Fixes: 775d2ffb4af6 ("backlight: qcom-wled: Restructure the driver for WLED3")
Signed-off-by: Marijn Suijten <marijn.suij...@somainline.org>
Reviewed-by: AngeloGioacchino Del Regno
<angelogioacchino.delre...@somainline.org>
---
drivers/video/backlight/qcom-wled.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/video/backlight/qcom-wled.c
b/drivers/video/backlight/qcom-wled.c
index 29910e603c42..27e8949c7922 100644
--- a/drivers/video/backlight/qcom-wled.c
+++ b/drivers/video/backlight/qcom-wled.c
@@ -1526,6 +1526,12 @@ static int wled_configure(struct wled *wled)
"qcom,enabled-strings",
sizeof(u32));
if (string_len > 0) {
+ if (string_len > wled->max_string_count) {
+ dev_err(dev, "Cannot have more than %d strings\n",
+ wled->max_string_count);
+ return -EINVAL;
+ }
+
rc = of_property_read_u32_array(dev->of_node,
"qcom,enabled-strings",
wled->cfg.enabled_strings,
@@ -1537,6 +1543,14 @@ static int wled_configure(struct wled *wled)
return -EINVAL;
}
+ for (i = 0; i < string_len; ++i) {
+ if (wled->cfg.enabled_strings[i] >=
wled->max_string_count) {
+ dev_err(dev, "qcom,enabled-strings index %d at
%d is out of bounds\n",
+ wled->cfg.enabled_strings[i], i);
+ return -EINVAL;
+ }
+ }
+
cfg->num_strings = string_len;
}
--
2.33.0
