[PATCH -next] firmware: imx: secure-enclave: prevent overflow in round_up() of iobuf length

Next message: liuxixin: "[PATCH v4 1/2] nvme: fix FDP fdpcidx bounds check"
Previous message: liuxixin: "[PATCH v4 0/2] nvme: fix FDP configuration log parsing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pankaj Gupta

Date: Thu May 28 2026 - 05:33:51 EST

On 32-bit architectures, calling round_up(io.length, 8) can overflow
when io.length is close to SIZE_MAX, as the internal addition
(io.length + 7) wraps around. This may result in aligned_len becoming
smaller than io.length (even zero), bypassing subsequent bounds checks.

This can lead to an out-of-bounds write when the original io.length is
used in memory operations.

Add an explicit check to ensure io.length + 7 does not overflow before
calling round_up().

Fixes: 3ae9dcce8400 ("firmware: drivers: imx: adds miscdev")
Reported-by: sashiko-bot <sashiko-bot@xxxxxxxxxx>
Closes: https://sashiko.dev/#/patchset/20260514090321.2186877-1-pankaj.gupta@xxxxxxx?part=
Signed-off-by: Pankaj Gupta <pankaj.gupta@xxxxxxx>
---
drivers/firmware/imx/se_ctrl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index 4914d3b6bf0b..05ea7efc016d 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -672,7 +672,7 @@ static int se_ioctl_setup_iobuf_handler(struct se_if_device_ctx *dev_ctx,
goto copy;
}

- if (io.length > SIZE_MAX - 7) {
+ if ((size_t)io.length > SIZE_MAX - 7) {
dev_err(dev_ctx->priv->dev, "%s: Invalid buffer length.",
dev_ctx->devname);
return -EINVAL;
--
2.43.0