[PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name

Linux-ARM-Kernel Archive on lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
@ 2026-05-15  9:59 Geert Uytterhoeven
  2026-05-15 10:28 ` Dan Carpenter
  0 siblings, 1 reply; 7+ messages in thread
From: Geert Uytterhoeven @ 2026-05-15  9:59 UTC (permalink / raw)
  To: Sudeep Holla, Cristian Marussi
  Cc: arm-scmi, linux-arm-kernel, linux-kernel, Geert Uytterhoeven

scmi_power_name_get() does not validate the domain number passed by the
external caller, which may lead to an out-of-bounds access.

Fix this by returning "unknown" for invalid domains, like
scmi_reset_name_get() does.

Fixes: 76a6550990e296a7 ("firmware: arm_scmi: add initial support for power protocol")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
---
 drivers/firmware/arm_scmi/power.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/firmware/arm_scmi/power.c b/drivers/firmware/arm_scmi/power.c
index 3aa84ceb6d2bab68..4a7215e02dec035d 100644
--- a/drivers/firmware/arm_scmi/power.c
+++ b/drivers/firmware/arm_scmi/power.c
@@ -204,8 +204,12 @@ scmi_power_name_get(const struct scmi_protocol_handle *ph,
 		    u32 domain)
 {
 	struct scmi_power_info *pi = ph->get_priv(ph);
-	struct power_dom_info *dom = pi->dom_info + domain;
+	struct power_dom_info *dom;
+
+	if (domain >= pi->num_domains)
+		return "unknown";
 
+	dom = pi->dom_info + domain;
 	return dom->name;
 }
 
-- 
2.43.0



^ permalink raw reply related	[flat|nested] 7+ messages in thread

* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
  2026-05-15  9:59 [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get() Geert Uytterhoeven
@ 2026-05-15 10:28 ` Dan Carpenter
  2026-05-15 11:29   ` Geert Uytterhoeven
  0 siblings, 1 reply; 7+ messages in thread
From: Dan Carpenter @ 2026-05-15 10:28 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Sudeep Holla, Cristian Marussi, arm-scmi, linux-arm-kernel,
	linux-kernel

On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> scmi_power_name_get() does not validate the domain number passed by the
> external caller, which may lead to an out-of-bounds access.
> 

Is an external caller an out of tree caller?  So far as I can see this
is only called by scmi_pm_domain_probe().

	scmi_pd->name = power_ops->name_get(ph, i);

where i < num_domains.

regards,
dan carpenter



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
  2026-05-15 10:28 ` Dan Carpenter
@ 2026-05-15 11:29   ` Geert Uytterhoeven
  2026-05-15 11:36     ` Dan Carpenter
  2026-05-15 11:46     ` Cristian Marussi
  0 siblings, 2 replies; 7+ messages in thread
From: Geert Uytterhoeven @ 2026-05-15 11:29 UTC (permalink / raw)
  To: Dan Carpenter
  Cc: Sudeep Holla, Cristian Marussi, arm-scmi, linux-arm-kernel,
	linux-kernel

Hi Dan,

On Fri, 15 May 2026 at 12:28, Dan Carpenter <error27@gmail.com> wrote:
> On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > scmi_power_name_get() does not validate the domain number passed by the
> > external caller, which may lead to an out-of-bounds access.
>
> Is an external caller an out of tree caller?  So far as I can see this

I meant a caller outside drivers/firmware/arm_scmi/.

> is only called by scmi_pm_domain_probe().
>
>         scmi_pd->name = power_ops->name_get(ph, i);
>
> where i < num_domains.

You are right. But this seems to be only API implementation in
drivers/firmware/arm_scmi/ that does not validate the passed domain
number.

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
  2026-05-15 11:29   ` Geert Uytterhoeven
@ 2026-05-15 11:36     ` Dan Carpenter
  2026-05-15 11:46     ` Cristian Marussi
  1 sibling, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2026-05-15 11:36 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Sudeep Holla, Cristian Marussi, arm-scmi, linux-arm-kernel,
	linux-kernel

On Fri, May 15, 2026 at 01:29:27PM +0200, Geert Uytterhoeven wrote:
> Hi Dan,
> 
> On Fri, 15 May 2026 at 12:28, Dan Carpenter <error27@gmail.com> wrote:
> > On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > > scmi_power_name_get() does not validate the domain number passed by the
> > > external caller, which may lead to an out-of-bounds access.
> >
> > Is an external caller an out of tree caller?  So far as I can see this
> 
> I meant a caller outside drivers/firmware/arm_scmi/.
> 
> > is only called by scmi_pm_domain_probe().
> >
> >         scmi_pd->name = power_ops->name_get(ph, i);
> >
> > where i < num_domains.
> 
> You are right. But this seems to be only API implementation in
> drivers/firmware/arm_scmi/ that does not validate the passed domain
> number.

I don't have a problem with the patch but I don't think it should have
a Fixes tag.

regards,
dan carpenter



^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
  2026-05-15 11:29   ` Geert Uytterhoeven
  2026-05-15 11:36     ` Dan Carpenter
@ 2026-05-15 11:46     ` Cristian Marussi
  2026-05-15 12:00       ` Geert Uytterhoeven
  1 sibling, 1 reply; 7+ messages in thread
From: Cristian Marussi @ 2026-05-15 11:46 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Dan Carpenter, Sudeep Holla, Cristian Marussi, arm-scmi,
	linux-arm-kernel, linux-kernel

On Fri, May 15, 2026 at 01:29:27PM +0200, Geert Uytterhoeven wrote:
> Hi Dan,
> 

Hi all,

> On Fri, 15 May 2026 at 12:28, Dan Carpenter <error27@gmail.com> wrote:
> > On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > > scmi_power_name_get() does not validate the domain number passed by the
> > > external caller, which may lead to an out-of-bounds access.
> >
> > Is an external caller an out of tree caller?  So far as I can see this
> 
> I meant a caller outside drivers/firmware/arm_scmi/.
> 
> > is only called by scmi_pm_domain_probe().
> >
> >         scmi_pd->name = power_ops->name_get(ph, i);
> >
> > where i < num_domains.
> 
> You are right. But this seems to be only API implementation in
> drivers/firmware/arm_scmi/ that does not validate the passed domain
> number.
>

Yes we tend to validate protocol operations calls even if apparently
safe from teh caller perspective...indeed I have this fixed locally
since ages in an horrible patch, that does a lot more, and that I
never posted :P

Usually, if it is worth, we also build an internal domain get helper to
reuse across the protocol unit...but here really there are only 2 call-sites.

What I am not sure is what to return: "unknown" is safer as of now than NULL
for sure, but really, what happened is NOT that the name was "unknown" (which
by itself would be out-of-spec behaviour) it is more that the whole domain that
was referred to that was invalid and NOT existent...

....mmm I suppose we are opening another can of worms here :P

Thanks,
Cristian


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
  2026-05-15 11:46     ` Cristian Marussi
@ 2026-05-15 12:00       ` Geert Uytterhoeven
  2026-05-15 12:10         ` Cristian Marussi
  0 siblings, 1 reply; 7+ messages in thread
From: Geert Uytterhoeven @ 2026-05-15 12:00 UTC (permalink / raw)
  To: Cristian Marussi
  Cc: Dan Carpenter, Sudeep Holla, arm-scmi, linux-arm-kernel,
	linux-kernel

Hi Cristian,

On Fri, 15 May 2026 at 13:46, Cristian Marussi <cristian.marussi@arm.com> wrote:
> On Fri, May 15, 2026 at 01:29:27PM +0200, Geert Uytterhoeven wrote:
> > On Fri, 15 May 2026 at 12:28, Dan Carpenter <error27@gmail.com> wrote:
> > > On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > > > scmi_power_name_get() does not validate the domain number passed by the
> > > > external caller, which may lead to an out-of-bounds access.
> > >
> > > Is an external caller an out of tree caller?  So far as I can see this
> >
> > I meant a caller outside drivers/firmware/arm_scmi/.
> >
> > > is only called by scmi_pm_domain_probe().
> > >
> > >         scmi_pd->name = power_ops->name_get(ph, i);
> > >
> > > where i < num_domains.
> >
> > You are right. But this seems to be only API implementation in
> > drivers/firmware/arm_scmi/ that does not validate the passed domain
> > number.
>
> Yes we tend to validate protocol operations calls even if apparently
> safe from teh caller perspective...indeed I have this fixed locally
> since ages in an horrible patch, that does a lot more, and that I
> never posted :P
>
> Usually, if it is worth, we also build an internal domain get helper to
> reuse across the protocol unit...but here really there are only 2 call-sites.
>
> What I am not sure is what to return: "unknown" is safer as of now than NULL
> for sure, but really, what happened is NOT that the name was "unknown" (which
> by itself would be out-of-spec behaviour) it is more that the whole domain that
> was referred to that was invalid and NOT existent...
>
> ....mmm I suppose we are opening another can of worms here :P

Like scmi_perf_info_get() returning ERR_PTR(-EINVAL) instead of NULL,
and scmi_perf_domain_probe() never checking the return value anyway?

Gr{oetje,eeting}s,

                        Geert

-- 
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org

In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
                                -- Linus Torvalds


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
  2026-05-15 12:00       ` Geert Uytterhoeven
@ 2026-05-15 12:10         ` Cristian Marussi
  0 siblings, 0 replies; 7+ messages in thread
From: Cristian Marussi @ 2026-05-15 12:10 UTC (permalink / raw)
  To: Geert Uytterhoeven
  Cc: Cristian Marussi, Dan Carpenter, Sudeep Holla, arm-scmi,
	linux-arm-kernel, linux-kernel

On Fri, May 15, 2026 at 02:00:24PM +0200, Geert Uytterhoeven wrote:
> Hi Cristian,
> 
> On Fri, 15 May 2026 at 13:46, Cristian Marussi <cristian.marussi@arm.com> wrote:
> > On Fri, May 15, 2026 at 01:29:27PM +0200, Geert Uytterhoeven wrote:
> > > On Fri, 15 May 2026 at 12:28, Dan Carpenter <error27@gmail.com> wrote:
> > > > On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > > > > scmi_power_name_get() does not validate the domain number passed by the
> > > > > external caller, which may lead to an out-of-bounds access.
> > > >
> > > > Is an external caller an out of tree caller?  So far as I can see this
> > >
> > > I meant a caller outside drivers/firmware/arm_scmi/.
> > >
> > > > is only called by scmi_pm_domain_probe().
> > > >
> > > >         scmi_pd->name = power_ops->name_get(ph, i);
> > > >
> > > > where i < num_domains.
> > >
> > > You are right. But this seems to be only API implementation in
> > > drivers/firmware/arm_scmi/ that does not validate the passed domain
> > > number.
> >
> > Yes we tend to validate protocol operations calls even if apparently
> > safe from teh caller perspective...indeed I have this fixed locally
> > since ages in an horrible patch, that does a lot more, and that I
> > never posted :P
> >
> > Usually, if it is worth, we also build an internal domain get helper to
> > reuse across the protocol unit...but here really there are only 2 call-sites.
> >
> > What I am not sure is what to return: "unknown" is safer as of now than NULL
> > for sure, but really, what happened is NOT that the name was "unknown" (which
> > by itself would be out-of-spec behaviour) it is more that the whole domain that
> > was referred to that was invalid and NOT existent...
> >
> > ....mmm I suppose we are opening another can of worms here :P
> 
> Like scmi_perf_info_get() returning ERR_PTR(-EINVAL) instead of NULL,
> and scmi_perf_domain_probe() never checking the return value anyway?

...oh probably more than that...and related vendor FW that already exploits
these missing checks here and there to arbitrarily skip domains and return
out-of-spec non-contigous sets of domains becasue they cannot bother to
implement properly the spec (or they have simply forked their codebase from
an old drop and never updated it again...)...so that any kernel-side fix
you made along the road carries the risk of breaking something and a string
of possibly needed quirks...

Cheers,
Cristian


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2026-05-15 12:11 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-15  9:59 [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get() Geert Uytterhoeven
2026-05-15 10:28 ` Dan Carpenter
2026-05-15 11:29   ` Geert Uytterhoeven
2026-05-15 11:36     ` Dan Carpenter
2026-05-15 11:46     ` Cristian Marussi
2026-05-15 12:00       ` Geert Uytterhoeven
2026-05-15 12:10         ` Cristian Marussi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox