gpio: GPIO_GET_CHIPINFO_IOCTL: Fix line offset validation

commit 1f1cc4566bd9dd8d3cf19965a4b6392143618536 upstream. The current line offset validation is off by one. Depending on the data stored behind the descs array this can either cause undefined behavior or disclose arbitrary, potentially sensitive, memory to the issuing userspace application. Make sure that offset is within the bounds of the desc array. Fixes: 521a2ad6f862 ("gpio: add userspace ABI for GPIO line information") Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Lars-Peter Clausen <lars@metafoo.de> 2016-10-18 16:53:59 +0200
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-11-10 16:38:45 +0100
commit: 78ae767553e435d5c3d71521b39d52e3a2e226b1 (patch)
tree: 6221aab14df6e792efd7c0044cd64052f4fa92c6
parent: 56ffab4f532ef9faf05d32d50018b851f3e8fc70 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
index 53ff25ac66d8..44d976c238c1 100644
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -837,7 +837,7 @@ static long gpio_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
 
 		if (copy_from_user(&lineinfo, ip, sizeof(lineinfo)))
 			return -EFAULT;
-		if (lineinfo.line_offset > gdev->ngpio)
+		if (lineinfo.line_offset >= gdev->ngpio)
 			return -EINVAL;
 
 		desc = &gdev->descs[lineinfo.line_offset];
author	Lars-Peter Clausen <lars@metafoo.de>	2016-10-18 16:53:59 +0200
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2016-11-10 16:38:45 +0100
commit	78ae767553e435d5c3d71521b39d52e3a2e226b1 (patch)
tree	6221aab14df6e792efd7c0044cd64052f4fa92c6
parent	56ffab4f532ef9faf05d32d50018b851f3e8fc70 (diff)