Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp417443pxx; Mon, 26 Oct 2020 11:25:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyTc8a9HQy+H4tT7tC6XVH1yWJ9ZTzmZ5y2Xm8NPtc0vELJ0D0NOx3gsLewqVHz2cERDdUA X-Received: by 2002:a17:906:1618:: with SMTP id m24mr17778810ejd.438.1603736712033; Mon, 26 Oct 2020 11:25:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603736712; cv=none; d=google.com; s=arc-20160816; b=d4aj4mSWaHM+KhPqRpJ0rQBfzbIrlqOPJsQ3tWSrkkAgRDQkyU41p2MjznQ4inpw3J 0VEmefhG6vQ0luBJk5UDjrWLfZWcl7LoouQqMk+NnHjgLSxgRQZeWXl/J7b4oRBLgR6d pvNSmvqJf0qhI47DZKhErY/4uP9oBbGRVz1SgLioU8/SQjlyWBhWOhvQ0c/wCE2RbO0B uT9o8KXr1TL08qOm4gm+Dn2UKVZeexZySgKXAnHzTMSkRObEvtHFzQiWNkDciKbXquWT 0wYLVFpnl1alHnVP3P8gM7HPW8sCa7XbJvnwx+doi1tDMtCqUcKzdwFGQVbs7sWcOdH6 LNxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=GL1NjRTB9Wkovw+Pto3Au8I/56TgcM08u0LSRyHoKlY=; b=Awy4qNQt2+xcNJjKRqf1BlNqABFgUhwtqFdqc24z27NbJC9W7DqftN0xU+K3s1jo/v 4sZYBbBDN+UQmREwPpGxjAPeaeyLOE4fq7mIdIBbXYqJKy+/sCm5DJschxP/omFpgCCj JErsouw9P33/yu0iyXaVSzoopVMcPOSRoK6vU3SLu3JJ5IvSZOJIunUlIzZCiUSgcB3t LXXk67diJkCGt8xcN6K9aHJVprMcepGYqzkC9nV+UQEi1NbrqgezWXrCnXzY4UR5hDK2 oM+H4H7W1GZqGjw5pKG2MK7gq7HmvrcmAS2H3liQ3dCLPy5413T99NQ1+Fpyx51mJG0J YeRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1ENtOvna; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z8si7611315eju.267.2020.10.26.11.24.48; Mon, 26 Oct 2020 11:25:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1ENtOvna; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1784548AbgJZP4S (ORCPT + 99 others); Mon, 26 Oct 2020 11:56:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:43622 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1773749AbgJZPy5 (ORCPT ); Mon, 26 Oct 2020 11:54:57 -0400 Received: from localhost.localdomain (unknown [192.30.34.233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 09D5C22400; Mon, 26 Oct 2020 15:54:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603727696; bh=VnzGR2F/J7hcHGiLieqtelGxslx6iyl+m0SczyoDd2Y=; h=From:To:Cc:Subject:Date:From; b=1ENtOvnasCWH6XLt7qtjLJPRv5+bfAorTH+YLCSeawIombjuXpLmPnIXZ2/b8Yg8F G7YFzXa+ocOuRUGh3bJ568BD/ntamwIRmxwspHSRVhNjzZXrH8oEBdOY2cgbPf6tcf 9oaOAay5lGvRk08AMw+uCREpx7uq8vp18gxHQyIg= From: Arnd Bergmann To: Michal Simek , Jolly Shah , Rajan Vaja Cc: Arnd Bergmann , Rajan Vaja , Jolly Shah , Greg Kroah-Hartman , Tejas Patel , linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH] firmware: xilinx: fix out-of-bounds access Date: Mon, 26 Oct 2020 16:54:36 +0100 Message-Id: <20201026155449.3703142-1-arnd@kernel.org> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Arnd Bergmann The zynqmp_pm_set_suspend_mode() and zynqmp_pm_get_trustzone_version() functions pass values as api_id into zynqmp_pm_invoke_fn that are beyond PM_API_MAX, resulting in an out-of-bounds access: drivers/firmware/xilinx/zynqmp.c: In function 'zynqmp_pm_set_suspend_mode': drivers/firmware/xilinx/zynqmp.c:150:24: warning: array subscript 2562 is above array bounds of 'u32[64]' {aka 'unsigned int[64]'} [-Warray-bounds] 150 | if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED) | ~~~~~~~~~~~~~~~~~~^~~~~~~~ drivers/firmware/xilinx/zynqmp.c:28:12: note: while referencing 'zynqmp_pm_features' 28 | static u32 zynqmp_pm_features[PM_API_MAX]; | ^~~~~~~~~~~~~~~~~~ Replace the resulting undefined behavior with an error return. This may break some things that happen to work at the moment but seems better than randomly overwriting kernel data. I assume we need additional fixes for the two functions that now return an error. Fixes: 76582671eb5d ("firmware: xilinx: Add Zynqmp firmware driver") Fixes: e178df31cf41 ("firmware: xilinx: Implement ZynqMP power management APIs") Signed-off-by: Arnd Bergmann --- drivers/firmware/xilinx/zynqmp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/firmware/xilinx/zynqmp.c b/drivers/firmware/xilinx/zynqmp.c index 8d1ff2454e2e..efb8a66efc68 100644 --- a/drivers/firmware/xilinx/zynqmp.c +++ b/drivers/firmware/xilinx/zynqmp.c @@ -147,6 +147,9 @@ static int zynqmp_pm_feature(u32 api_id) return 0; /* Return value if feature is already checked */ + if (api_id > ARRAY_SIZE(zynqmp_pm_features)) + return PM_FEATURE_INVALID; + if (zynqmp_pm_features[api_id] != PM_FEATURE_UNCHECKED) return zynqmp_pm_features[api_id]; -- 2.27.0