From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f179.google.com (mail-yw1-f179.google.com [209.85.128.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 505FB3CF04B for ; Mon, 4 May 2026 12:13:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.179 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777896824; cv=none; b=tNEN1SSKImQt1flQl9SJfY8nP7Es7gnwybVJKLai6po69fzFLL2oF/z9Op1FfEBSKKqWOu77yYrtABtS1U3Qz/z6Tn93ur8TYfqwYtwrgT1t/Rz0KsM0u+oPumeEA/CekcX7zsCjxA7mQPUlvihIAnICRl/Hlv6lHC2uaUl1m58= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777896824; c=relaxed/simple; bh=XNNpH1F5wvOWEqcIvtiZ7uYlDMRnhSh/liAy8ctj5SE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=brQA01sxX8JgrGEbeZoUGU1of8eaGvtWpddDSp+j8KtWwT5K16cF62gVcKtef5DIFW4mR0Y7Fgo5tZai7Zj9r9WFn9Gbm7MSxuJmQpQWA4CEGS3Trjy+NgseeESqf/K16S/FVk9FhQ4ZnHJbl4CngFkuRC70f9Ofj95cHZpD4RA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=D3WLX3l0; arc=none smtp.client-ip=209.85.128.179 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="D3WLX3l0" Received: by mail-yw1-f179.google.com with SMTP id 00721157ae682-7bd5c582c6cso35306347b3.1 for ; Mon, 04 May 2026 05:13:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777896821; x=1778501621; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=XM5dGgpkjSsxJQtB3BR2yd0n4llyOuuMJ1LAIAlQ75o=; b=D3WLX3l0AXcCNKZlUurWw4ZDO6UmsrO3V+pAw+JcDjPiDgH1mfO1eKnP278z4z9Utm GTfenXEI86lMRF0ZNNcZ+Fzo1v8jRqpnYsYUSOykZYfGjCSEDtk0SeYUvLHFdQJEfkRB joK04IpR055SgY+vgSeiauf9YgunWmaN0BCXOJo7fh26tApJK04oiE2j0JubBaSnhGmr VFI7D6QFr60XDJ2prFxPTQfr2Ap1Q4NG9xpwK4pCUIZp5Mug6WIdhTvKeRUJaJZu28G8 EpjiJZx/xnf72aml5K1h8e4c54Hb/Zi+nY6DMM//Er0u+Q46Y0DuIuPqCjuAwhNo/qqk /sfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777896821; x=1778501621; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=XM5dGgpkjSsxJQtB3BR2yd0n4llyOuuMJ1LAIAlQ75o=; b=llS1QepG6L40fxQPDHouDBeZnYpJGJegJbZ/BRMumJT6jYlBiGdky7dT+4+9oDyzBt 6SRMRvIBAp3F+3WmMFEX/wGWUjRPy2ZL+6lUhlMVpCx/ujCTx2O8Z7TNq0nfwfHsA+HT 2i3V8JBYIw0xq+r1mSQhNTiJ8XZiq89Yd1nd4Gi8nz38+SnwfzbxUv7EjWOiQOCjyyho HvVDY8pB8ma0Vwu87eWV6Ix65/e+AYrFADM/qa8aqf9Rebfg8w6cjEBgBycFyar1Y9rp t7VGfISsa0c3eCa8yVx5TO94FqiqHZEamNOgpMs+yTPbKUQut3s+fjAOhsenDx5usdPq NAIQ== X-Forwarded-Encrypted: i=1; AFNElJ9aCU2XUETZbcYl9wL4HRKoWCeFlsWSHThcUUBmVDlq6oyAcvQM32b9V7hJCK6qqXVbNhmxBBkvD9SYuzE=@vger.kernel.org X-Gm-Message-State: AOJu0YwVsZ8iLPCRZUEWWbp64qYBj/ZUxXNgfVUEgMrndgnU0/CoHNw3 O0E9K7lpidC+11+Nrpd0xeHdWpCMDtO0ikf9rJfp4+8BTRjYkmtOpGr0 X-Gm-Gg: AeBDieuBEz6BEIhYaMO7vOU/Ka+AwvfG9DZD3aBt3Fm479IsEAhEa7JyxeFBY+OfxdD GD+SIyq7bYXiKA1mBtyjlcj0Cdc46iw505+CDP7ANJRUqqK3RwxDR+zVWUl5+36IxC+aqVwI8Dn IsDAqARiUu5DSFQlKwx5tNvKHcSGLz0kauWUNhg2lqOt+spqT/wULfbtDBUXGOZHpVd7CkrLpuX 8Fxwpd9MooNmOf63SmOn1cvZT9nGfBXSyc13hdB0GmrfsAW5J1OE+VE6RLMfidQuPFn8x/yFbH1 1srqVQ9h6gt5wunhbtwKk1cUHVBP/XfhD0VH391RsNWbnCOGe0GYw90cLkSSwnDsxOsGwmOKnJ9 0E4shzv3r+W7XlYI6ABmgVIUznVCEULdOkI4aakItN/kg+yI1TY2la04a9gvAPAepThXkdhWKiO XtcbfZHKlR4IDZ13VJJkFzjVz9fUKEfhu03dk14rsaaveRa8pMI+bQ/Do= X-Received: by 2002:a05:690c:a01c:b0:7b8:bc4e:ac3 with SMTP id 00721157ae682-7bd77104b4emr88139017b3.26.1777896821391; Mon, 04 May 2026 05:13:41 -0700 (PDT) Received: from ubuntu-linux-2404.ts.net ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd665464ccsm48417937b3.11.2026.05.04.05.13.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2026 05:13:40 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v5 3/3] fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() Date: Mon, 4 May 2026 06:13:32 -0600 Message-ID: <20260504121332.1053563-3-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260504121332.1053563-1-sebasjosue84@gmail.com> References: <20260504121332.1053563-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit mpf_ops_parse_header() reads header_size from the bitstream at MPF_HEADER_SIZE_OFFSET (24). When header_size is zero, the expression *(buf + header_size - 1) reads one byte before the buffer start. Since initial_header_size is set to 71 in mpf_ops, the fpga-mgr core guarantees the buffer is always large enough to reach MPF_HEADER_SIZE_OFFSET. The only real gap is the zero header_size case, which cannot be resolved by providing a larger buffer, so return -EINVAL. Fixes: 5f8d4a9008307 ("fpga: microchip-spi: add Microchip MPF FPGA manager") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives --- Changes in v5: - Drop the count < MPF_HEADER_SIZE_OFFSET + 1 check. Since initial_header_size = 71 is set in mpf_ops, the fpga-mgr core already guarantees the buffer covers MPF_HEADER_SIZE_OFFSET. Only the zero header_size case remains as a genuine bug. Suggested by Xu Yilun. Changes in v4: - Reduce to two minimal fixes: minimum count check and -EINVAL for zero header_size (superseded by v5). Changes in v3: - Add overflow check for 32-bit in component size loop. Changes in v2: - Return -EINVAL for header_size == 0, -EAGAIN in block loop, add count check before MPF_HEADER_SIZE_OFFSET read. --- drivers/fpga/microchip-spi.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/fpga/microchip-spi.c b/drivers/fpga/microchip-spi.c index dca1a5d..cc8f6d7 100644 --- a/drivers/fpga/microchip-spi.c +++ b/drivers/fpga/microchip-spi.c @@ -115,9 +115,6 @@ static int mpf_ops_parse_header(struct fpga_manager *mgr, return -EINVAL; } - if (count < MPF_HEADER_SIZE_OFFSET + 1) - return -EINVAL; - header_size = *(buf + MPF_HEADER_SIZE_OFFSET); if (!header_size) return -EINVAL; -- 2.43.0