From: John Thomson <git@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
commit 8679e8b4a1ebdb40c4429e49368d29353e07b601 upstream.
Verify data size before trying to parse it to avoid reading out of
buffer. This could happen in case of problems at MTD level or invalid DT
bindings.
Signed-off-by: John Thomson <git@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Cc: stable <stable@xxxxxxxxxx>
Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables")
[rmilecki: simplify commit description & rebase]
Signed-off-by: Rafał Miłecki <rafal@xxxxxxxxxx>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20240902142510.71096-2-srinivas.kandagatla@xxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/nvmem/u-boot-env.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/nvmem/u-boot-env.c
+++ b/drivers/nvmem/u-boot-env.c
@@ -176,6 +176,13 @@ static int u_boot_env_parse(struct u_boo
data_offset = offsetof(struct u_boot_env_image_broadcom, data);
break;
}
+
+ if (dev_size < data_offset) {
+ dev_err(dev, "Device too small for u-boot-env\n");
+ err = -EIO;
+ goto err_kfree;
+ }
+
crc32_addr = (__le32 *)(buf + crc32_offset);
crc32 = le32_to_cpu(*crc32_addr);
crc32_data_len = dev_size - crc32_data_offset;
Patches currently in stable-queue which might be from git@xxxxxxxxxxxxxxxxxxxxxxxxxxx are
queue-6.10/nvmem-u-boot-env-error-if-nvmem-device-is-too-small.patch
