From patchwork Wed Jul 13 15:49:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Wahren X-Patchwork-Id: 12916936 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 10D52C433EF for ; Wed, 13 Jul 2022 15:51:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:Cc:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=5JEIzKrNKpzTSKWA7z0oQQQ1GCdP1eYaGSWB6ivszsc=; b=EcAXbk4xZtEytu QHqs84EctF79NK9ubrve7AS7PDCOa95xMcDH4VHVInFljWzG/XU2lFdpF3OilO4mmf5DxgxgSYr4E Uiew7+r20RUqFQNGl4wyCdgecyHQGwvf7joBPHPrjNCNuDXrR2WGlu9tbxyJLWjimFHgit1/nrOyL a7CGOdV8n/f+e77OAb7VV7hZ4BYJrZfXyJ24wQjTG8e3Ef69SOT+oyQ7vibuXcywcgaKPK5SC0vVN iOQisV7d+k5yRWXxIhDjig/w3iAQHGlOWreedpQZLl1n233klKGqPh3Le8Qnoar/0q9MdusDVB1eW zbV3v1JnijyY8i9g9ktw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oBedI-005HTM-In; Wed, 13 Jul 2022 15:50:36 +0000 Received: from mout.kundenserver.de ([212.227.126.133]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oBed6-005HIQ-12 for linux-arm-kernel@lists.infradead.org; Wed, 13 Jul 2022 15:50:25 +0000 Received: from localhost.localdomain ([37.4.249.155]) by mrelayeu.kundenserver.de (mreue010 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MmUcL-1nlMDX3e4X-00iSaV; Wed, 13 Jul 2022 17:50:14 +0200 From: Stefan Wahren To: Florian Fainelli , Michael Turquette , Stephen Boyd Cc: bcm-kernel-feedback-list@broadcom.com, Maxime Ripard , linux-clk@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, Stefan Wahren , Phil Elwell Subject: [PATCH 1/3] clk: bcm: rpi: Prevent out-of-bounds access Date: Wed, 13 Jul 2022 17:49:51 +0200 Message-Id: <20220713154953.3336-2-stefan.wahren@i2se.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220713154953.3336-1-stefan.wahren@i2se.com> References: <20220713154953.3336-1-stefan.wahren@i2se.com> MIME-Version: 1.0 X-Provags-ID: V03:K1:jGsizjmPYWgMoUirvQPLUgxsbQQ2ElofdI3BKUEign/NkaXhQnb 7QjSp9tRRJjSoRwYo2JCI9mm5WE4aTOFLAXAb7B4AU8+U27vsejDtad6uMOwUTiCs7HYia9 4slz0QSgGGiFI55mLVpss+WK/KvQYCtBOwQSn1E/LesqOJhf2BivXmj1vBeUTVPQZUTxS2a W3IWa+gsVuN0RW+ci6LxQ== X-UI-Out-Filterresults: notjunk:1;V03:K0:JZF35l+UcLk=:3rrKjxywLhZnx3saFAZ03f RMfNv9To5MMrJae+wasiax14VAta/qz7qlHqYscW9QG+W9uSeXq/Q/sPT2z1U6iEHwEyJ/Fc6 l6iWARRu/GyhECQ3JgEWVxp3X9z1N1z9ba59O+O4wUc6TaYuICWxURN2yp9xTP2hVhcSIJmZs B/EIupn4iudl0TpKqHqXI3DKeIObvsmGPXd7mZsDynZHA/ZTW8F2h2Waf0JDQ1YrZUr9cMavD OIueboobopg4KlWlidkOcDW2AaFVWYis7t0HvcysUU2La0M8aeXP7G5Ayoi+pIlOAC8CPAgNR LZU+aX7CjgXHIlLDS0vGb2ZJTgSkc4u+s6Q+IA8KS72QiyLD2NbYeJ7Bo885+NeVCmFn/k9ip GpRvbFaQ3+szbQ9VKDuqtcjJ3ugpzSar85MPtaA/EzdOLHTwRzxUoQdfqo1/Yuv8xP4Cw4K1o bNvvuaB4IcOldicNvi6F0nL6dRvgGuNt96qJO/yhKOusHJYFfA0Ip4DLZj9tnKmIzw2b396dF 4QTw0brk8XiTRIL8lgKkCTXP2hjZvToJ7ZkfbBGfZLCPgjKyBS77uDcO8vSiyvcF/Ar5XgdPi DMTREaU4xn5O9599xbDHf9eMW+EYLyXyhNcF8IenY+AvCxKYjTBAfUfdBWg4pTx9D9OfkerDu sT8g3yYbA/e/Nvt8yrrZcSmH2ZoiEbsJmdPjtMMWDbrLIB2BQetGGCVeCeTPKT++h1c++0PuF BHNrLVqmNEUcsVN+8AU7CCO3BwnhyMLGi3OEPiZ8JTXZS5I/puT+etUuIDI= X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220713_085024_385744_E0B54674 X-CRM114-Status: GOOD ( 13.03 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org The while loop in raspberrypi_discover_clocks() relies on the assumption that the id of the last clock element is zero. Because this data comes from the Videocore firmware and it doesn't guarantuee such a behavior this could lead to out-of-bounds access. So fix this by providing a sentinel element. Fixes: 93d2725affd6 ("clk: bcm: rpi: Discover the firmware clocks") Link: https://github.com/raspberrypi/firmware/issues/1688 Suggested-by: Phil Elwell Signed-off-by: Stefan Wahren Acked-by: Florian Fainelli --- drivers/clk/bcm/clk-raspberrypi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c index 73518009a0f2..79cbf0c0b401 100644 --- a/drivers/clk/bcm/clk-raspberrypi.c +++ b/drivers/clk/bcm/clk-raspberrypi.c @@ -344,8 +344,13 @@ static int raspberrypi_discover_clocks(struct raspberrypi_clk *rpi, struct rpi_firmware_get_clocks_response *clks; int ret; + /* + * The firmware doesn't guarantee that the last element of + * RPI_FIRMWARE_GET_CLOCKS is zeroed. So allocate an additional + * zero element as sentinel. + */ clks = devm_kcalloc(rpi->dev, - RPI_FIRMWARE_NUM_CLK_ID, sizeof(*clks), + RPI_FIRMWARE_NUM_CLK_ID + 1, sizeof(*clks), GFP_KERNEL); if (!clks) return -ENOMEM;