Index: linux-2.6.27/drivers/i2c/chips/at24.c =================================================================== --- linux-2.6.27.orig/drivers/i2c/chips/at24.c +++ linux-2.6.27/drivers/i2c/chips/at24.c @@ -114,6 +114,8 @@ static const struct i2c_device_id at24_i { "spd", AT24_DEVICE_MAGIC(2048 / 8, AT24_FLAG_READONLY | AT24_FLAG_IRUGO) }, { "24c04", AT24_DEVICE_MAGIC(4096 / 8, 0) }, + /* Intersil RTC/Unique-ID isl12024 eeprom handled here */ + { "isl12024",AT24_DEVICE_MAGIC(4096 / 8, AT24_FLAG_ADDR16) }, /* 24rf08 quirk is handled at i2c-core */ { "24c08", AT24_DEVICE_MAGIC(8192 / 8, 0) }, { "24c16", AT24_DEVICE_MAGIC(16384 / 8, 0) }, Index: linux-2.6.27/drivers/rtc/Kconfig =================================================================== --- linux-2.6.27.orig/drivers/rtc/Kconfig +++ linux-2.6.27/drivers/rtc/Kconfig @@ -124,6 +124,12 @@ comment "I2C RTC drivers" if I2C +config RTC_DRV_ISL12024 + tristate "Intersil 12024 RTC/ UniqueID" + help + If you say yes .... + This driver can also be built as a module. + config RTC_DRV_DS1307 tristate "Dallas/Maxim DS1307/37/38/39/40, ST M41T00" help Index: linux-2.6.27/drivers/rtc/Makefile =================================================================== --- linux-2.6.27.orig/drivers/rtc/Makefile +++ linux-2.6.27/drivers/rtc/Makefile @@ -34,6 +34,7 @@ obj-$(CONFIG_RTC_DRV_DS1742) += rtc-ds17 obj-$(CONFIG_RTC_DRV_EP93XX) += rtc-ep93xx.o obj-$(CONFIG_RTC_DRV_FM3130) += rtc-fm3130.o obj-$(CONFIG_RTC_DRV_ISL1208) += rtc-isl1208.o +obj-$(CONFIG_RTC_DRV_ISL12024) += rtc-isl12024.o obj-$(CONFIG_RTC_DRV_M41T80) += rtc-m41t80.o obj-$(CONFIG_RTC_DRV_M41T94) += rtc-m41t94.o obj-$(CONFIG_RTC_DRV_M48T59) += rtc-m48t59.o Index: linux-2.6.27/drivers/rtc/isl12024.h =================================================================== --- /dev/null +++ linux-2.6.27/drivers/rtc/isl12024.h @@ -0,0 +1,100 @@ +/* + * Intersil ISL12024 chip registers definitions + * + * + * Copyright (C) 2008, CenoSYS (www.cenosys.com). + * Guillaume Ligneul + * Guillaume.ligneul@gmail.com + * + * This software program is licensed subject to the GNU General Public License + * (GPL).Version 2,June 1991, available at http://www.fsf.org/copyleft/gpl.html + */ + +#ifndef ISL12024_H_ +#define ISL12024_H_ + +#define ISL12024_REG_SR 0x3F /* status register */ +#define ISL12024_REG_Y2K 0x37 +#define ISL12024_REG_DW 0x36 +#define ISL12024_REG_YR 0x35 +#define ISL12024_REG_MO 0x34 +#define ISL12024_REG_DT 0x33 +#define ISL12024_REG_HR 0x32 +#define ISL12024_REG_MN 0x31 +#define ISL12024_REG_SC 0x30 +#define ISL12024_REG_DTR 0x13 +#define ISL12024_REG_ATR 0x12 +#define ISL12024_REG_INT 0x11 +#define ISL12024_REG_0 0x10 +#define ISL12024_REG_Y2K1 0x0F +#define ISL12024_REG_DWA1 0x0E +#define ISL12024_REG_YRA1 0x0D +#define ISL12024_REG_MOA1 0x0C +#define ISL12024_REG_DTA1 0x0B +#define ISL12024_REG_HRA1 0x0A +#define ISL12024_REG_MNA1 0x09 +#define ISL12024_REG_SCA1 0x08 +#define ISL12024_REG_Y2K0 0x07 +#define ISL12024_REG_DWA0 0x06 +#define ISL12024_REG_YRA0 0x05 +#define ISL12024_REG_MOA0 0x04 +#define ISL12024_REG_DTA0 0x03 +#define ISL12024_REG_HRA0 0x02 +#define ISL12024_REG_MNA0 0x01 +#define ISL12024_REG_SCA0 0x00 + +#define ISL12024_CCR_BASE 0x30 /* Base address of CCR */ +#define ISL12024_ALM0_BASE 0x00 /* Base address of ALARM0 */ + +#define ISL12024_SR_RTCF 0x01 /* Clock failure */ +#define ISL12024_SR_WEL 0x02 /* Write Enable Latch */ +#define ISL12024_SR_RWEL 0x04 /* Register Write Enable */ +#define ISL12024_SR_AL0 0x20 /* Alarm 0 match */ + +#define ISL12024_DTR_DTR0 0x01 +#define ISL12024_DTR_DTR1 0x02 +#define ISL12024_DTR_DTR2 0x04 + +#define ISL12024_HR_MIL 0x80 /* Set in ccr.hour for 24 hr mode */ + +#define ISL12024_INT_AL0E 0x20 /* Alarm 0 enable */ + +/* I2C ADDRESS */ +#define ISL12024_I2C_ADDR 0xDE +#define ISL12024_I2C_EEPROM_ADDR 0x57 + +/* device id section */ +#define ISL12024_REG_ID 0x20 + +/* Register map */ +/* rtc section */ +#define ISL12024_REG_HR_MIL (1<<7) /* 24h/12h mode */ +#define ISL12024_REG_HR_PM (1<<5) /* PM/AM bit in 12h mode */ +//#define ISL12024_REG_DT 0x33 /* Date */ +//#define ISL12024_REG_MO 0x34 /* Month */ +//#define ISL12024_REG_YR 0x35 /* Year */ +//#define ISL12024_REG_DW 0x36 +//#define ISL12024_REG_Y2K 0x37 +#define ISL12024_RTC_SECTION_LEN 8 + +/* control/status section */ +//#define ISL12024_REG_SR 0x3F +//#define ISL12024_REG_SR_BAT (1<<7) /* battery */ +//#define ISL12024_REG_SR_AL1 (1<<6) /* alarm 0 */ +//#define ISL12024_REG_SR_AL0 (1<<5) /* alarm 1 */ +//#define ISL12024_REG_SR_OSCF (1<<4) /* oscillator fail */ +//#define ISL12024_REG_SR_RWEL (1<<2) /* register write enable latch */ +//#define ISL12024_REG_SR_WEL (1<<1) /* write enable latch */ +//#define ISL12024_REG_SR_RTCF (1<<0) /* rtc fail */ +//#define ISL12024_REG_INT 0x11 + +#define CCR_SEC 0 +#define CCR_MIN 1 +#define CCR_HOUR 2 +#define CCR_MDAY 3 +#define CCR_MONTH 4 +#define CCR_YEAR 5 +#define CCR_WDAY 6 +#define CCR_Y2K 7 + +#endif /*ISL12024_H_*/ Index: linux-2.6.27/drivers/rtc/rtc-isl12024.c =================================================================== --- /dev/null +++ linux-2.6.27/drivers/rtc/rtc-isl12024.c @@ -0,0 +1,541 @@ +/* + * Intersil ISL12024 class driver + * + * + * Copyright (C) 2007, CenoSYS (www.cenosys.com). + * + * Guillaume Ligneul <guillaume.ligneul@gmail.com> + * Sylvain Giroudon <sylvain.giroudon@goobie.fr> + * + * This software program is licensed subject to the GNU General Public License + * (GPL).Version 2,June 1991, available at http://www.fsf.org/copyleft/gpl.html + */ + +#include <linux/module.h> +#include <linux/i2c.h> +#include <linux/bcd.h> +#include <linux/rtc.h> +#include <linux/proc_fs.h> +#include <linux/delay.h> + +#include "isl12024.h" + + +#define DBG 1 +#undef DBG + +#define DRV_NAME "isl12024" +#define DRV_VERSION "0.2" + +/* i2c configuration */ +static const unsigned short normal_i2c[] = { + ISL12024_I2C_ADDR >>1, I2C_CLIENT_END +}; +I2C_CLIENT_INSMOD; + +static int isl12024_get_status(struct i2c_client *client, unsigned char *sr); +static int isl12024_fix_osc(struct i2c_client *client); + +static int isl12024_attach_adapter(struct i2c_adapter *adapter); +static int isl12024_detach_client(struct i2c_client *client); + + +/* Bufer to store unique identifier in */ +static u8 buf_id[ISL12024_RTC_SECTION_LEN] = { 0 }; + + +// To debug (may be added in include/linux/i2c-id.h) +#define I2C_DRIVERID_ISL12024 97 + + +static struct i2c_driver isl12024_driver = { + .driver = { + .name = DRV_NAME, + }, + .id = I2C_DRIVERID_ISL12024, + .attach_adapter = &isl12024_attach_adapter, + .detach_client = &isl12024_detach_client, +}; + + +int +isl12024_i2c_read_regs(struct i2c_client *client, u8 reg, u8 buf[], + unsigned len) +{ + int ret; + u8 dt_addr[2]; + + struct i2c_msg msgs[2] = { + { + .addr = client->addr, + .flags = 0, + .len = 2, + .buf = dt_addr, + }, + { + .addr = client->addr, + .flags = I2C_M_RD, + .len = len , + .buf = buf , + }, + }; + + dt_addr[0] = 0; + dt_addr[1] = reg; + + ret = i2c_transfer(client->adapter, msgs, 2); + if ( ret < 0) { + dev_err(&client->dev, "read error\n"); + return -EIO; + } + return ret; +} + +EXPORT_SYMBOL(isl12024_i2c_read_regs); + + +int +isl12024_i2c_set_regs(struct i2c_client *client, u8 reg, u8 const buf[], + unsigned len) +{ + int ret; + u8 i2c_buf[10]; + + struct i2c_msg msgs[1] = { + { + .addr = client->addr, + .flags = 0, + .len = len+2, + .buf = i2c_buf, + }, + }; + + i2c_buf[0] = 0; + i2c_buf[1] = reg; + + + memcpy(&i2c_buf[2], &buf[0], len ); + + ret = i2c_transfer(client->adapter, msgs, 1); + if ( ret < 0 ) + printk(KERN_ERR DRV_NAME ": i2c_transfer failed (%d)\n", ret); + + return ret; +} + +EXPORT_SYMBOL(isl12024_i2c_set_regs); + + +static int isl12024_i2c_validate_client(struct i2c_client *client) +{ + u8 regs[ISL12024_RTC_SECTION_LEN] = { 0, }; + u8 zero_mask[ISL12024_RTC_SECTION_LEN] = { + 0x80, 0x80, 0x40, 0xc0, 0xe0, 0x00, 0xf8, 0xc6 + }; + + int i; + int ret; +From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001 From: Rich Felker <dalias@aerifal.cx> Date: Thu, 6 Oct 2016 18:34:58 -0400 Subject: [PATCH] fix missing integer overflow checks in regexec buffer size computations most of the possible overflows were already ruled out in practice by regcomp having already succeeded performing larger allocations. however at least the num_states*num_tags multiplication can clearly overflow in practice. for safety, check them all, and use the proper type, size_t, rather than int. also improve comments, use calloc in place of malloc+memset, and remove bogus casts. Upstream-Status: Backport CVE: CVE-2016-8859 Signed-off-by: Armin Kuster <akuster@mvista.com> --- src/regex/regexec.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/regex/regexec.c b/src/regex/regexec.c index 16c5d0a..dd52319 100644 --- a/src/regex/regexec.c +++ b/src/regex/regexec.c @@ -34,6 +34,7 @@ #include <wchar.h> #include <wctype.h> #include <limits.h> +#include <stdint.h> #include <regex.h> @@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string, /* Allocate memory for temporary data required for matching. This needs to be done for every matching operation to be thread safe. This allocates - everything in a single large block from the stack frame using alloca() - or with malloc() if alloca is unavailable. */ + everything in a single large block with calloc(). */ { - int tbytes, rbytes, pbytes, xbytes, total_bytes; + size_t tbytes, rbytes, pbytes, xbytes, total_bytes; char *tmp_buf; + + /* Ensure that tbytes and xbytes*num_states cannot overflow, and that + * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */ + if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states)) + goto error_exit; + + /* Likewise check rbytes. */ + if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next))) + goto error_exit; + + /* Likewise check pbytes. */ + if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos))) + goto error_exit; + /* Compute the length of the block we need. */ tbytes = sizeof(*tmp_tags) * num_tags; rbytes = sizeof(*reach_next) * (tnfa->num_states + 1); @@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string, + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes; /* Allocate the memory. */ - buf = xmalloc((unsigned)total_bytes); + buf = calloc(total_bytes, 1); if (buf == NULL) return REG_ESPACE; - memset(buf, 0, (size_t)total_bytes); /* Get the various pointers within tmp_buf (properly aligned). */ tmp_tags = (void *)buf; -- 2.7.4
From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001 From: Rich Felker <dalias@aerifal.cx> Date: Thu, 6 Oct 2016 18:34:58 -0400 Subject: [PATCH] fix missing integer overflow checks in regexec buffer size computations most of the possible overflows were already ruled out in practice by regcomp having already succeeded performing larger allocations. however at least the num_states*num_tags multiplication can clearly overflow in practice. for safety, check them all, and use the proper type, size_t, rather than int. also improve comments, use calloc in place of malloc+memset, and remove bogus casts. Upstream-Status: Backport CVE: CVE-2016-8859 Signed-off-by: Armin Kuster <akuster@mvista.com> --- src/regex/regexec.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/regex/regexec.c b/src/regex/regexec.c index 16c5d0a..dd52319 100644 --- a/src/regex/regexec.c +++ b/src/regex/regexec.c @@ -34,6 +34,7 @@ #include <wchar.h> #include <wctype.h> #include <limits.h> +#include <stdint.h> #include <regex.h> @@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string, /* Allocate memory for temporary data required for matching. This needs to be done for every matching operation to be thread safe. This allocates - everything in a single large block from the stack frame using alloca() - or with malloc() if alloca is unavailable. */ + everything in a single large block with calloc(). */ { - int tbytes, rbytes, pbytes, xbytes, total_bytes; + size_t tbytes, rbytes, pbytes, xbytes, total_bytes; char *tmp_buf; + + /* Ensure that tbytes and xbytes*num_states cannot overflow, and that + * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */ + if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states)) + goto error_exit; + + /* Likewise check rbytes. */ + if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next))) + goto error_exit; + + /* Likewise check pbytes. */ + if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos))) + goto error_exit; + /* Compute the length of the block we need. */ tbytes = sizeof(*tmp_tags) * num_tags; rbytes = sizeof(*reach_next) * (tnfa->num_states + 1); @@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string, + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes; /* Allocate the memory. */ - buf = xmalloc((unsigned)total_bytes); + buf = calloc(total_bytes, 1); if (buf == NULL) return REG_ESPACE; - memset(buf, 0, (size_t)total_bytes); /* Get the various pointers within tmp_buf (properly aligned). */ tmp_tags = (void *)buf; -- 2.7.4