Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp389054pxb;
        Fri, 3 Sep 2021 04:38:22 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwUPx7IzOnDBI3JH6WeQ5fXetub6w0RadAdl04ifq+Dv3s2KcHcANKPNVtBK9eUsn3IAmwj
X-Received: by 2002:aa7:d04a:: with SMTP id n10mr3568146edo.12.1630669102521;
        Fri, 03 Sep 2021 04:38:22 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1630669102; cv=none;
        d=google.com; s=arc-20160816;
        b=RsMEc2W6sCoIKxl2YUjHicYOBiecDxe5EJ3/7ij+zcS/oVHIvAjcvGkQXd+I8utyHi
         lTeMHZ0vCprsoVOgGGybv5asLrRr3DoAFs1S7yiOA2XqZBQKWIN0DNZ2J2UYopS5yagp
         dqfCAzMFWVGeysdR83uknSiYQMKJyv9GIFABqfuiHC69iRo360xFdQ4/EOKuiCP5L9LC
         Ok/1KeX6mEm9Q1eGTLT/fW+n9M+0TkNC5XULhk4XglFy0+IA2zmrfmT0ayYpeJHRyuOI
         5iahpedBPPHBnJG3CZgIbVOMWyq7QjyrOF3W7haBbHnu86mFktSQM0WmIsO8Rleq/Yws
         k3eg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=dk1Z6KUZZYtBSygNy2CeThe1eJ552e/uQ99Jgb7JMGI=;
        b=aJhCqexl9cEZBIVrft9IjbXWVWLDfJJaV8+5FeMfzSU2xeAX1XGbPYoNYo2pV7hWod
         +EBNBNbS5Tll+QT50o3yJXvsDcVJ9wi7hYthe0Ni8E3k5zgbKuEndSv0OMzoc2rKzlk3
         IcxYjOKMdxQFG8Sr0LBKXV3aL4nMKcECGUQcZlh9h9JMpt+h71fdyCz2mjrvSrWL6JdW
         ti4TWZ5DMn/jN0Ygdy8gtbj5Gk6sEwf+PowNPPBr3mIY1mgEvqbvRKEyQvL41dYo6bjP
         QRu8OoS5AwxGYRdQMJ52OPXk5Jh9/P4ooIKRGDFyCvkZ/LGsDf1H9Bsztr3aklDZrkJn
         oPQg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bx6si4921855edb.476.2021.09.03.04.37.58;
        Fri, 03 Sep 2021 04:38:22 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ispras.ru
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1348247AbhICI2E (ORCPT <rfc822;liuwu.linux@gmail.com>
        + 99 others); Fri, 3 Sep 2021 04:28:04 -0400
Received: from mail.ispras.ru ([83.149.199.84]:33296 "EHLO mail.ispras.ru"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234810AbhICI2E (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Sep 2021 04:28:04 -0400
Received: from hellwig.intra.ispras.ru (unknown [10.10.2.182])
        by mail.ispras.ru (Postfix) with ESMTPS id 324EC40D4004;
        Fri,  3 Sep 2021 08:26:58 +0000 (UTC)
From:   Evgeny Novikov <novikov@ispras.ru>
To:     Miquel Raynal <miquel.raynal@bootlin.com>
Cc:     Evgeny Novikov <novikov@ispras.ru>,
        Richard Weinberger <richard@nod.at>,
        Vignesh Raghavendra <vigneshr@ti.com>,
        Ramuthevar Vadivel Murugan 
        <vadivel.muruganx.ramuthevar@linux.intel.com>,
        Martin Blumenstingl <martin.blumenstingl@googlemail.com>,
        Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
        Kirill Shilimanov <kirill.shilimanov@huawei.com>,
        Anton Vasilyev <vasilyev@ispras.ru>,
        linux-mtd@lists.infradead.org, linux-kernel@vger.kernel.org,
        ldv-project@linuxtesting.org
Subject: [PATCH] mtd: rawnand: intel: Fix potential buffer overflow in probe
Date:   Fri,  3 Sep 2021 11:26:53 +0300
Message-Id: <20210903082653.16441-1-novikov@ispras.ru>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

ebu_nand_probe() read the value of u32 variable "cs" from the device
firmware description and used it as the index for array ebu_host->cs
that can contain MAX_CS (2) elements at most. That could result in
a buffer overflow and various bad consequences later.

Fix the potential buffer overflow by restricting values of "cs" with
MAX_CS in probe.

Found by Linux Driver Verification project (linuxtesting.org).

Fixes: 0b1039f016e8 ("mtd: rawnand: Add NAND controller support on Intel LGM SoC")
Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
Co-developed-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
Signed-off-by: Kirill Shilimanov <kirill.shilimanov@huawei.com>
Co-developed-by: Anton Vasilyev <vasilyev@ispras.ru>
Signed-off-by: Anton Vasilyev <vasilyev@ispras.ru>
---
 drivers/mtd/nand/raw/intel-nand-controller.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/mtd/nand/raw/intel-nand-controller.c b/drivers/mtd/nand/raw/intel-nand-controller.c
index 8b49fd56cf96..81678088fdca 100644
--- a/drivers/mtd/nand/raw/intel-nand-controller.c
+++ b/drivers/mtd/nand/raw/intel-nand-controller.c
@@ -609,6 +609,11 @@ static int ebu_nand_probe(struct platform_device *pdev)
 		dev_err(dev, "failed to get chip select: %d\n", ret);
 		return ret;
 	}
+	if (cs >= MAX_CS) {
+		dev_err(dev, "got invalid chip select: %d\n", cs);
+		return -EINVAL;
+	}
+
 	ebu_host->cs_num = cs;
 
 	resname = devm_kasprintf(dev, GFP_KERNEL, "nand_cs%d", cs);
-- 
2.26.2