git.monstr.eu Git - linux-2.6-microblaze.git/commit

author	Arnd Bergmann <arnd@arndb.de>
	Mon, 26 Oct 2020 15:54:36 +0000 (16:54 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 9 Nov 2020 17:35:35 +0000 (18:35 +0100)
commit	f3217d6f2f7a76b36a3326ad58c8897f4d5fbe31
tree	c3464a85b80d1a5aeb4cde3a561db163d88fb62e	tree \| snapshot
parent	d9109fe0f30a1fba66b8623837fc3d3c1a031090	commit \| diff

firmware: xilinx: fix out-of-bounds access

The zynqmp_pm_set_suspend_mode() and zynqmp_pm_get_trustzone_version()
functions pass values as api_id into zynqmp_pm_invoke_fn
that are beyond PM_API_MAX, resulting in an out-of-bounds access:

drivers/firmware/xilinx/zynqmp.c: In function 'zynqmp_pm_set_suspend_mode':
drivers/firmware/xilinx/zynqmp.c:150:24: warning: array subscript 2562 is above array bounds of 'u32[64]' {aka 'unsigned int[64]'} [-Warray-bounds]
  150 |  if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED)
      |      ~~~~~~~~~~~~~~~~~~^~~~~~~~
drivers/firmware/xilinx/zynqmp.c:28:12: note: while referencing 'zynqmp_pm_features'
   28 | static u32 zynqmp_pm_features[PM_API_MAX];
      |            ^~~~~~~~~~~~~~~~~~

Replace the resulting undefined behavior with an error return.
This may break some things that happen to work at the moment
but seems better than randomly overwriting kernel data.

I assume we need additional fixes for the two functions that now
return an error.

Fixes: 76582671eb5d ("firmware: xilinx: Add Zynqmp firmware driver")
Fixes: e178df31cf41 ("firmware: xilinx: Implement ZynqMP power management APIs")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20201026155449.3703142-1-arnd@kernel.org
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>