From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f44.google.com (mail-ej1-f44.google.com [209.85.218.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 562F628F9 for ; Sun, 8 Jan 2023 19:39:31 +0000 (UTC) Received: by mail-ej1-f44.google.com with SMTP id ud5so15288826ejc.4 for ; Sun, 08 Jan 2023 11:39:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XJiTYEPUGswRyYpBjspRiUoP3U43isLne3ofLdoy89s=; b=VU5Hm1Lq0aHvT7J9pdHV4ctyxUeVvUX1lDUngZBuKlhEFhmS3r3pPFEvhgSe9GbAus WVg7Ca10CpTmXYRb4Y8RsHtEpaBYnDHH2z04qSFG5+EZx+2H8yJ9KnTJHq+3txPkBYz2 WCjNBQl0B8ML42dzqx1RAdNPka/pfRin4f0P8RQfscvdLFZu4HNbjFQSH5ISn87nNadC n2bMbSf+5TmQK9JamEuqueD2tlyM2Yeh6gL1l7Ckl4/ETZcAeb8U6nvaxZMOWQGAxYcp 7SJ9nAogbDjBlV8YDqQjJ+6iIOA7XRnOrzK13gMjBz6MCD5oB/8lIs1t3YvW2kdos4NT MRPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=XJiTYEPUGswRyYpBjspRiUoP3U43isLne3ofLdoy89s=; b=aHijEX55bnY61yrD7gAEu3AEioNaFFVdSbrrnIHKdB7dN0uBM40EseLeWRoagVN6JB eoX/JgQGPEIVJ2nVDRssB0KES1d2h4UHeFKUS1oAiq5Op3JedBExjUzSNe+pemQylnLu kUn1G2K5AtmzDV2z+/xofWmg2heVpU5nT4qFSdXnGDcpim1c4xMJaFjcIQ/lQjVQi22t Bzhvzgj7xbk7aPlNNp/q8Pj6U5Q95Qgeirtb7kHhozWbMXIN4yeOCAV1PfU6RRxKqzOa VdpbgMUtS4h3a2Jzm672fodAIr3bX5Ja4/xmvJIt/QJWUwxQmEG64XWgQFlo8Na2WTJc xNiw== X-Gm-Message-State: AFqh2kqBA5mBzrcyP9tq2a7x4H9WB/G+B1fuNjRYlXINe0TMML4CZsI4 9Izzm04zUJnzVhljAj2r45g= X-Google-Smtp-Source: AMrXdXv6Jx2XUMzyPA0I1YklgDSX6ZuJ1xXXUIpDNIv03Ig3MOrYDUA2N+g7yb9WLbpMNKwaSClvMQ== X-Received: by 2002:a17:906:57c4:b0:844:436f:8f01 with SMTP id u4-20020a17090657c400b00844436f8f01mr46425105ejr.17.1673206769560; Sun, 08 Jan 2023 11:39:29 -0800 (PST) Received: from jernej-laptop.localnet (82-149-19-102.dynamic.telemach.net. [82.149.19.102]) by smtp.gmail.com with ESMTPSA id 18-20020a170906329200b007c0c679ca2fsm2817648ejw.26.2023.01.08.11.39.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 08 Jan 2023 11:39:29 -0800 (PST) From: Jernej =?utf-8?B?xaBrcmFiZWM=?= To: Alessandro Zummo , Alexandre Belloni , Chen-Yu Tsai , Samuel Holland Cc: linux-arm-kernel@lists.infradead.org, linux-rtc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-sunxi@lists.linux.dev Subject: Re: [PATCH 1/2] rtc: sun6i: Prevent an out-of-bounds read Date: Sun, 08 Jan 2023 20:39:27 +0100 Message-ID: <4834080.31r3eYUQgx@jernej-laptop> In-Reply-To: <5c20af59-5fb5-8f7d-f6af-2b3984d79595@sholland.org> References: <20221229184011.62925-1-samuel@sholland.org> <8201852.NyiUUSuA9g@jernej-laptop> <5c20af59-5fb5-8f7d-f6af-2b3984d79595@sholland.org> Precedence: bulk X-Mailing-List: linux-sunxi@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" Dne sobota, 07. januar 2023 ob 18:15:47 CET je Samuel Holland napisal(a): > Hi Jernej, >=20 > On 1/5/23 11:26, Jernej =C5=A0krabec wrote: > > Dne =C4=8Detrtek, 29. december 2022 ob 19:40:10 CET je Samuel Holland=20 napisal(a): > >> If there is more than one parent clock in the devicetree, the > >> driver sets .num_parents to a larger value than the number of array > >> elements, which causes an out-of-bounds read in the clock framework. > >=20 > > Is there any DT with more than one parent? I think more fixes are needed > > if > > this is the case. >=20 > H616 and newer expect more than one parent, to accurately represent the > RTC clock tree, but they use the CCU driver instead of this code. If I understand that correctly, second clock would be 24 MHz crystal? In an= y=20 case, if multiple parents are possible, check needs to be added to see if=20 parent clocks include 32 kHz clock or not. >=20 > This bug is preventing us from relaxing `maxItems` in the binding for H6 > and older SoCs, even if Linux does not use the additional parent clocks. > I want to fix this bug now, to give us the option (if beneficial) of > relaxing the binding in the long-term future. I wouldn't call it a bug, since it works just fine for currently defined=20 binding. Do you have DT binding change in pipeline? Best regards, Jernej >=20 > Regards, > Samuel >=20 > >> Fix this by coercing the parent count to a Boolean value, like the > >> driver expects. > >>=20 > >> Fixes: 3855c2c3e546 ("rtc: sun6i: Expose the 32kHz oscillator") > >> Signed-off-by: Samuel Holland > >> --- > >>=20 > >> drivers/rtc/rtc-sun6i.c | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >>=20 > >> diff --git a/drivers/rtc/rtc-sun6i.c b/drivers/rtc/rtc-sun6i.c > >> index ed5516089e9a..a22358a44e32 100644 > >> --- a/drivers/rtc/rtc-sun6i.c > >> +++ b/drivers/rtc/rtc-sun6i.c > >> @@ -294,7 +294,7 @@ static void __init sun6i_rtc_clk_init(struct > >> device_node *node, > >>=20 > >> init.parent_names =3D parents; > >> /* ... number of clock parents will be 1. */ > >>=20 > >> - init.num_parents =3D of_clk_get_parent_count(node) + 1; > >> + init.num_parents =3D !!of_clk_get_parent_count(node) + 1; > >>=20 > >> of_property_read_string_index(node, "clock-output-names", 0, > >> =09 > >> &init.name);