* [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
@ 2026-05-15 9:59 Geert Uytterhoeven
2026-05-15 10:28 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Geert Uytterhoeven @ 2026-05-15 9:59 UTC (permalink / raw)
To: Sudeep Holla, Cristian Marussi
Cc: arm-scmi, linux-arm-kernel, linux-kernel, Geert Uytterhoeven
scmi_power_name_get() does not validate the domain number passed by the
external caller, which may lead to an out-of-bounds access.
Fix this by returning "unknown" for invalid domains, like
scmi_reset_name_get() does.
Fixes: 76a6550990e296a7 ("firmware: arm_scmi: add initial support for power protocol")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
drivers/firmware/arm_scmi/power.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/arm_scmi/power.c b/drivers/firmware/arm_scmi/power.c
index 3aa84ceb6d2bab68..4a7215e02dec035d 100644
--- a/drivers/firmware/arm_scmi/power.c
+++ b/drivers/firmware/arm_scmi/power.c
@@ -204,8 +204,12 @@ scmi_power_name_get(const struct scmi_protocol_handle *ph,
u32 domain)
{
struct scmi_power_info *pi = ph->get_priv(ph);
- struct power_dom_info *dom = pi->dom_info + domain;
+ struct power_dom_info *dom;
+
+ if (domain >= pi->num_domains)
+ return "unknown";
+ dom = pi->dom_info + domain;
return dom->name;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
2026-05-15 9:59 [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get() Geert Uytterhoeven
@ 2026-05-15 10:28 ` Dan Carpenter
2026-05-15 11:29 ` Geert Uytterhoeven
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2026-05-15 10:28 UTC (permalink / raw)
To: Geert Uytterhoeven
Cc: Sudeep Holla, Cristian Marussi, arm-scmi, linux-arm-kernel,
linux-kernel
On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> scmi_power_name_get() does not validate the domain number passed by the
> external caller, which may lead to an out-of-bounds access.
>
Is an external caller an out of tree caller? So far as I can see this
is only called by scmi_pm_domain_probe().
scmi_pd->name = power_ops->name_get(ph, i);
where i < num_domains.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
2026-05-15 10:28 ` Dan Carpenter
@ 2026-05-15 11:29 ` Geert Uytterhoeven
2026-05-15 11:36 ` Dan Carpenter
0 siblings, 1 reply; 4+ messages in thread
From: Geert Uytterhoeven @ 2026-05-15 11:29 UTC (permalink / raw)
To: Dan Carpenter
Cc: Sudeep Holla, Cristian Marussi, arm-scmi, linux-arm-kernel,
linux-kernel
Hi Dan,
On Fri, 15 May 2026 at 12:28, Dan Carpenter <error27@gmail.com> wrote:
> On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > scmi_power_name_get() does not validate the domain number passed by the
> > external caller, which may lead to an out-of-bounds access.
>
> Is an external caller an out of tree caller? So far as I can see this
I meant a caller outside drivers/firmware/arm_scmi/.
> is only called by scmi_pm_domain_probe().
>
> scmi_pd->name = power_ops->name_get(ph, i);
>
> where i < num_domains.
You are right. But this seems to be only API implementation in
drivers/firmware/arm_scmi/ that does not validate the passed domain
number.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
2026-05-15 11:29 ` Geert Uytterhoeven
@ 2026-05-15 11:36 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2026-05-15 11:36 UTC (permalink / raw)
To: Geert Uytterhoeven
Cc: Sudeep Holla, Cristian Marussi, arm-scmi, linux-arm-kernel,
linux-kernel
On Fri, May 15, 2026 at 01:29:27PM +0200, Geert Uytterhoeven wrote:
> Hi Dan,
>
> On Fri, 15 May 2026 at 12:28, Dan Carpenter <error27@gmail.com> wrote:
> > On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > > scmi_power_name_get() does not validate the domain number passed by the
> > > external caller, which may lead to an out-of-bounds access.
> >
> > Is an external caller an out of tree caller? So far as I can see this
>
> I meant a caller outside drivers/firmware/arm_scmi/.
>
> > is only called by scmi_pm_domain_probe().
> >
> > scmi_pd->name = power_ops->name_get(ph, i);
> >
> > where i < num_domains.
>
> You are right. But this seems to be only API implementation in
> drivers/firmware/arm_scmi/ that does not validate the passed domain
> number.
I don't have a problem with the patch but I don't think it should have
a Fixes tag.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-15 11:36 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15 9:59 [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get() Geert Uytterhoeven
2026-05-15 10:28 ` Dan Carpenter
2026-05-15 11:29 ` Geert Uytterhoeven
2026-05-15 11:36 ` Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox