| Message ID | 20250410-fix_swnode-v1-2-081c95cf7cf9@quicinc.com |
|---|---|
| State | New |
| Headers | show |
| Series | software node: bug fixes | expand |
On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote: > From: Zijun Hu <quic_zijuhu@quicinc.com> > > software_node_get_reference_args() wants to get @index-th element, so > the property value requires at least '(index + 1) * sizeof(*ref)' bytes. > > Correct the check to avoid OOB access. Any real traceback?
On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote: > From: Zijun Hu <quic_zijuhu@quicinc.com> > > software_node_get_reference_args() wants to get @index-th element, so > the property value requires at least '(index + 1) * sizeof(*ref)' bytes. > > Correct the check to avoid OOB access. > > Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com> Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com> > --- > drivers/base/swnode.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c > index 67040fff99b02c43999b175c2ba7e6d04322a446..efaac07f8ba38fae55214b71c2ecee15b5a711b1 100644 > --- a/drivers/base/swnode.c > +++ b/drivers/base/swnode.c > @@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode, > if (prop->is_inline) > return -EINVAL; > > - if (index * sizeof(*ref) >= prop->length) > + if ((index + 1) * sizeof(*ref) > prop->length) > return -ENOENT; > > ref_array = prop->pointer; > > -- > 2.34.1 >
On 2025/4/14 16:08, Andy Shevchenko wrote: > On Thu, Apr 10, 2025 at 09:12:12PM +0800, Zijun Hu wrote: >> From: Zijun Hu <quic_zijuhu@quicinc.com> >> >> software_node_get_reference_args() wants to get @index-th element, so >> the property value requires at least '(index + 1) * sizeof(*ref)' bytes. >> >> Correct the check to avoid OOB access. > Any real traceback? no, find this issue during reading code.
diff --git a/drivers/base/swnode.c b/drivers/base/swnode.c index 67040fff99b02c43999b175c2ba7e6d04322a446..efaac07f8ba38fae55214b71c2ecee15b5a711b1 100644 --- a/drivers/base/swnode.c +++ b/drivers/base/swnode.c @@ -529,7 +529,7 @@ software_node_get_reference_args(const struct fwnode_handle *fwnode, if (prop->is_inline) return -EINVAL; - if (index * sizeof(*ref) >= prop->length) + if ((index + 1) * sizeof(*ref) > prop->length) return -ENOENT; ref_array = prop->pointer;