[PATCH v2] software node: Correct a OOB check in software_node_get_reference_args()

From: Zijun Hu
Date: Mon Apr 14 2025 - 07:37:21 EST

Next message: Dmitry Baryshkov: "Re: [PATCH v2 10/10] arm64: dts: qcom: sar2130p: add display nodes"
Previous message: Balbir Singh: "Re: [PATCH] dma/mapping.c: dev_dbg support for dma_addressing_limited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>

software_node_get_reference_args() wants to get @index-th element, so
the property value requires at least '(index + 1) * sizeof(*ref)' bytes
but that can not be guaranteed by current OOB check, and may cause OOB
for malformed property.

Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'.

Reviewed-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
---
Changes in v2:
- Drop the first patch
- Optimize comments for the secondary patch.
- Link to v1: https://lore.kernel.org/r/20250410-fix_swnode-v1-0-081c95cf7cf9@xxxxxxxxxxx
---
drivers/base/swnode.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
index b1726a3515f6fbe13c2186af1f74479263798e42..22bed2d35b2e89b6ac741c73b0190dfe67b35f71 100644
--- a/drivers/base/swnode.c
+++ b/drivers/base/swnode.c
@@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
if (prop->is_inline)
return -EINVAL;

- if (index * sizeof(*ref) >= prop->length)
+ if ((index + 1) * sizeof(*ref) > prop->length)
return -ENOENT;

ref_array = prop->pointer;

---
base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8
change-id: 20250410-fix_swnode-4986ff1b3534

Best regards,
--
Zijun Hu <quic_zijuhu@xxxxxxxxxxx>

Next message: Dmitry Baryshkov: "Re: [PATCH v2 10/10] arm64: dts: qcom: sar2130p: add display nodes"
Previous message: Balbir Singh: "Re: [PATCH] dma/mapping.c: dev_dbg support for dma_addressing_limited"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]