[PATCH] nvmem: brcm_nvram: fix out-of-bounds access on malformed flash data
From: Rosen Penev
Date: Fri Jul 03 2026 - 18:29:05 EST
The length check in brcm_nvram_parse() validated header->len against
priv->nvmem_size (the full partition size) instead of priv->data_len
(the actual allocated data buffer). A malformed flash partition with
header->len between the two would pass the check, causing
brcm_nvram_add_cells() to read and write priv->data[len - 1] beyond
the heap allocation.
Also add a minimum bound: len < sizeof(*header) could underflow the
data[len - 1] access.
Fix both bounds by rejecting len outside [sizeof(*header), priv->data_len].
Assisted-by: opencode:big-pickle
Signed-off-by: Rosen Penev <rosenp@xxxxxxxxx>
---
drivers/nvmem/brcm_nvram.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/nvmem/brcm_nvram.c b/drivers/nvmem/brcm_nvram.c
index aaa6537798bf..a29183ecd3e0 100644
--- a/drivers/nvmem/brcm_nvram.c
+++ b/drivers/nvmem/brcm_nvram.c
@@ -187,9 +187,13 @@ static int brcm_nvram_parse(struct brcm_nvram *priv)
}
len = le32_to_cpu(header->len);
- if (len > priv->nvmem_size) {
- dev_err(dev, "NVRAM length (%zd) exceeds mapped size (%zd)\n", len,
- priv->nvmem_size);
+ if (len < sizeof(*header)) {
+ dev_err(dev, "NVRAM length (%zd) too small\n", len);
+ return -EINVAL;
+ }
+ if (len > priv->data_len) {
+ dev_err(dev, "NVRAM length (%zd) exceeds data size (%zd)\n", len,
+ priv->data_len);
return -EINVAL;
}
--
2.55.0