[PATCH v2] software node: Correct a OOB check in software_node_get_reference_args()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>

software_node_get_reference_args() wants to get @index-th element, so
the property value requires at least '(index + 1) * sizeof(*ref)' bytes
but that can not be guaranteed by current OOB check, and may cause OOB
for malformed property.

Fix by using as OOB check '((index + 1) * sizeof(*ref) > prop->length)'.

Reviewed-by: Sakari Ailus <sakari.ailus@xxxxxxxxxxxxxxx>
Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
---
Changes in v2:
- Drop the first patch
- Optimize comments for the secondary patch.
- Link to v1: https://lore.kernel.org/r/20250410-fix_swnode-v1-0-081c95cf7cf9@xxxxxxxxxxx
---
 drivers/base/swnode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c
index b1726a3515f6fbe13c2186af1f74479263798e42..22bed2d35b2e89b6ac741c73b0190dfe67b35f71 100644
--- a/drivers/base/swnode.c
+++ b/drivers/base/swnode.c
@@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode,
 	if (prop->is_inline)
 		return -EINVAL;
 
-	if (index * sizeof(*ref) >= prop->length)
+	if ((index + 1) * sizeof(*ref) > prop->length)
 		return -ENOENT;
 
 	ref_array = prop->pointer;

---
base-commit: 0af2f6be1b4281385b618cb86ad946eded089ac8
change-id: 20250410-fix_swnode-4986ff1b3534

Best regards,
-- 
Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
[Index of Archives]     [Linux IBM ACPI]     [Linux Power Management]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]     [Linux Resources]
  Powered by Linux