Re: [PATCH 2/2] software node: Correct a OOB check in software_node_get_reference_args()
From: Sakari Ailus
Date: Mon Apr 14 2025 - 04:47:27 EST
On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote:
> From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
>
> software_node_get_reference_args() wants to get @index-th element, so
> the property value requires at least '(index + 1) * sizeof(*ref)' bytes.
>
> Correct the check to avoid OOB access.
>
> Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
Reviewed-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
> ---
> drivers/base/swnode.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
> index 67040fff99b02c43999b175c2ba7e6d04322a446..efaac07f8ba38fae55214b71c2ecee15b5a711b1 100644
> --- a/drivers/base/swnode.c
> +++ b/drivers/base/swnode.c
> @@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
> if (prop->is_inline)
> return -EINVAL;
>
> - if (index * sizeof(*ref) >= prop->length)
> + if ((index + 1) * sizeof(*ref) > prop->length)
> return -ENOENT;
>
> ref_array = prop->pointer;
>
> --
> 2.34.1
>
--
Sakari Ailus