Re: [PATCH v2 2/2] software node: Fix software_node_get_reference_args() with index -1

Next message: Roman Gushchin: "Re: [PATCH] Documentation/bpf: make it clear that kfuncs should be non-static"
Previous message: pr-tracker-bot: "Re: [GIT PULL] gfs2 changes for 7.2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zijun Hu

Date: Fri Jun 26 2026 - 19:50:28 EST

On 6/18/2026 11:20 PM, Alban Bedel wrote:
> The bounds check for the index passed to
> software_node_get_reference_args() was failing when passed UINT_MAX,
> this in turn would lead to an out of bound access in the property
> array. Fix the bound check to also cover the UINT_MAX case.
>
> Fixes: 31e4e12e0e960 ("software node: Correct a OOB check in software_node_get_reference_args()")

i think the fix tag may not be right.

for original express before the fix tag: if (index * sizeof(*ref) > prop->length)

for UINT_MAX, multiplication overflow?

> Reported-by: Sashiko <sashiko-bot@xxxxxxxxxx>
> Closes: https://lore.kernel.org/linux-devicetree/20260611103904.7CB131F00893@xxxxxxxxxxxxxxx/
> Signed-off-by: Alban Bedel <alban.bedel@xxxxxxxxxx>
> --
> v2: No changes. Only submit this patch along with the patch that
> triggered the Sashiko report, to hopefully avoid another useless
> report.
> ---
> drivers/base/swnode.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
> index 869228a65cb36..2bc76f01eb77d 100644
> --- a/drivers/base/swnode.c
> +++ b/drivers/base/swnode.c
> @@ -537,7 +537,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
> if (prop->is_inline)
> return -EINVAL;
>
> - if ((index + 1) * sizeof(*ref) > prop->length)
> + if (index >= prop->length / sizeof(*ref))
> return -ENOENT;
>

who will use UINT_MAX ?

This function is a interface function. the best fix should check
input parameter @index and return -EINVAL if it is not expected?