This is a note to let you know that I've just added the patch titled
nvmem: u-boot-env: error if NVMEM device is too small
to the 6.6-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
nvmem-u-boot-env-error-if-nvmem-device-is-too-small.patch
and it can be found in the queue-6.6 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit f1a4c4f3a902a3e05dc3b864734afd4bf2452c69
Author: John Thomson <git@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon Sep 2 15:25:08 2024 +0100
nvmem: u-boot-env: error if NVMEM device is too small
[ Upstream commit 8679e8b4a1ebdb40c4429e49368d29353e07b601 ]
Verify data size before trying to parse it to avoid reading out of
buffer. This could happen in case of problems at MTD level or invalid DT
bindings.
Signed-off-by: John Thomson <git@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Cc: stable <stable@xxxxxxxxxx>
Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables")
[rmilecki: simplify commit description & rebase]
Signed-off-by: Rafał Miłecki <rafal@xxxxxxxxxx>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20240902142510.71096-2-srinivas.kandagatla@xxxxxxxxxx
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/drivers/nvmem/u-boot-env.c b/drivers/nvmem/u-boot-env.c
index befbab156cda..adabbfdad6fb 100644
--- a/drivers/nvmem/u-boot-env.c
+++ b/drivers/nvmem/u-boot-env.c
@@ -176,6 +176,13 @@ static int u_boot_env_parse(struct u_boot_env *priv)
data_offset = offsetof(struct u_boot_env_image_broadcom, data);
break;
}
+
+ if (dev_size < data_offset) {
+ dev_err(dev, "Device too small for u-boot-env\n");
+ err = -EIO;
+ goto err_kfree;
+ }
+
crc32_addr = (__le32 *)(buf + crc32_offset);
crc32 = le32_to_cpu(*crc32_addr);
crc32_data_len = dev_size - crc32_data_offset;
