Patch "firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow" has been added to the 4.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Thu, 29 Jul 2021 07:59:56 -0400

This is a note to let you know that I've just added the patch titled

    firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     firmware-arm_scmi-fix-possible-scmi_linux_errmap-buf.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 1c601ba3c5bdbc9591e9abd81c92d38d9c9cc3b6
Author: Sudeep Holla <sudeep.holla@xxxxxxx>
Date:   Wed Jul 7 14:50:28 2021 +0100

    firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow
    
    [ Upstream commit 7a691f16ccad05d770f813d9c4b4337a30c6d63f ]
    
    The scmi_linux_errmap buffer access index is supposed to depend on the
    array size to prevent element out of bounds access. It uses SCMI_ERR_MAX
    to check bounds but that can mismatch with the array size. It also
    changes the success into -EIO though scmi_linux_errmap is never used in
    case of success, it is expected to work for success case too.
    
    It is slightly confusing code as the negative of the error code
    is used as index to the buffer. Fix it by negating it at the start and
    make it more readable.
    
    Link: https://lore.kernel.org/r/20210707135028.1869642-1-sudeep.holla@xxxxxxx
    Reported-by: kernel test robot <lkp@xxxxxxxxx>
    Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Cristian Marussi <cristian.marussi@xxxxxxx>
    Signed-off-by: Sudeep Holla <sudeep.holla@xxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/firmware/arm_scmi/driver.c b/drivers/firmware/arm_scmi/driver.c
index effc4c17e0fb..081fbe28da4b 100644
--- a/drivers/firmware/arm_scmi/driver.c
+++ b/drivers/firmware/arm_scmi/driver.c
@@ -48,7 +48,6 @@ enum scmi_error_codes {
 	SCMI_ERR_GENERIC = -8,	/* Generic Error */
 	SCMI_ERR_HARDWARE = -9,	/* Hardware Error */
 	SCMI_ERR_PROTOCOL = -10,/* Protocol Error */
-	SCMI_ERR_MAX
 };
 
 /* List of all SCMI devices active in system */
@@ -168,8 +167,10 @@ static const int scmi_linux_errmap[] = {
 
 static inline int scmi_to_linux_errno(int errno)
 {
-	if (errno < SCMI_SUCCESS && errno > SCMI_ERR_MAX)
-		return scmi_linux_errmap[-errno];
+	int err_idx = -errno;
+
+	if (err_idx >= SCMI_SUCCESS && err_idx < ARRAY_SIZE(scmi_linux_errmap))
+		return scmi_linux_errmap[err_idx];
 	return -EIO;
 }
 






