From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com [209.85.128.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 3E7E73C2BA7 for ; Tue, 12 May 2026 13:07:34 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591255; cv=none; b=cE/9uOcYsvmVye+mV/x42eN5yDfwt99r/fGRJT/UZEoKFLavTTMyaktnYNFcHBnzfXDbVj/Frs7IbAHw5S+JfPiYZhQi0qFwUljCKrHo1OHLndARbV5ZgZFZSVfO9slRlBmoBXy3BeGCqrRfvWHqpwbbPy+KDDido58f8164siA= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778591255; c=relaxed/simple; bh=052JeFXhre6eO/VYITYmvVypNbYdkagBvVoKDgWy/Lc=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Phh6l2ZLzQ8aOoa4GoLUzi36tzs+C4ffDZ3zauOjlGqoT1bSrtiF3nw1zGjBGPPGtXM2kKqfM9YFoN62HO1gZgwbypUK3z6oqvuqIPBS65rw+cLa+AGDqLp6oQ36RMYjKd3bRSjkDYpwUUscYsgzB3u3tzmE+ce/cPvVe1ijK5k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=jExI3swQ; arc=none smtp.client-ip=209.85.128.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="jExI3swQ" Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-7c04749d739so31558097b3.3 for ; Tue, 12 May 2026 06:07:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778591253; x=1779196053; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=6nxlr/Fuo3DPIglH7by58rq3oaK6PaKeNC/vr3JaVbs=; b=jExI3swQ8wa73J3X7tEPqmlPc7KkYi2RqOJAt/Jn/xigzQ2STrx9Qk3hJLPb3sPSn7 hRU452HMLvS8kcefuO+wg5FVTOzfCYbcMJJaZYQn84E3bvDK0uAO0mdSnZhlv7APMLVO nH1bf8P/6E0cxASNhS5Ba2MoM2siiTksjzFgV/NQMYQWDqZ4OsySXBjKa39j5X6U5A/e uzbkBtGwnwgteW4wu3D7SkHzwItlivZCTwSdLs/HUX+raPPs/UZz/nNhqvaJEiNxwzWo safnWN3lzojdTkS18t8ea+6e47q1Hhg58EavQQJKEDkO9L4gcPs5K7j9LA0DHkovgtTM 1VCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778591253; x=1779196053; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=6nxlr/Fuo3DPIglH7by58rq3oaK6PaKeNC/vr3JaVbs=; b=HHnAfP9VURIF7DnisSHqZm2Hfv1gdbdVIuLMaBgYZpf+ixN+za6oiR81STny72zuyW 6IaRCITjQ7KikEOyTbRyiANnLga/zjU2OXQq8xcMowgt8kLPVRrLcyu56feXrmX07GKj 9dku2ZhNvRtu1LGM6MkJ8D3P+6VdE7d0a4nIBnpXl8AmAwxfXPaA7hP+jNaCnPynfwH7 9bQc+o7Mwwwooz035/gJqoVhmnKw1FT/m1jWOwn4+VXFRTnbOHtj1Wn/LJnGv8y43UTb 8TrZUsQhOtuGjWIYAfnKWvzTUyPTYv9wtmrIgnczFZTpROExMmIO+xUZN+t2HKNuW88T zouA== X-Forwarded-Encrypted: i=1; AFNElJ9Wbns5Y8oDGOG+9D0g8zQkUNlg5T9Zu9jHNXCa809/rcogy/hxvYnG1Rt5XfnC79OkM9+9E+ixXqkQZ08=@vger.kernel.org X-Gm-Message-State: AOJu0YzdboxOvcvkgoK2Ak+jaWQgOpeMLN0Ny06ITMfhOeByhQobKlJ5 9Wn5UrSRfWN6BvB5zt2INxbUjyKj+LhFGQ8PA3IVW5YMCGSnfa8C0x+X X-Gm-Gg: Acq92OHgOMk0HetCfT+5grahiFrq1RVxnAUoOqDefS7GZ1xaC2fmBfScV9JL36tROJs AhkiR07d/lREjpqfhrfxM0gZ1FbVcotJIs7USZWNwPcJy7ark2tCtegzWcnHWVG3caU9ih+nI56 XJviCniToxcZui727ZA9dAC2XXwyLBt6BYhNOmqgQDMLWaLIIYoLEGtoUBBxWXUJuHvOoGMdRex VtW94mvz6AgNNoNL/rPDEJMs18IU9ZeoB+Xidm5iq1vQibqo1rrDQlRKJWMv9+NZ3hbfF+xBN4U BnAaoxO3OcCsX4CFXY0qnIH/eH+76rMRtW1sxB19RRVFhWZjeO7uZtvxWRvtbZ7KyZG2ckZwhH3 VNmzDvmzN3Dabi/FwvQpYPxKZ+xm4vx8sbWeldsz9pUEcw8q7OC3dOyWuZ+edU3tk4QfrCDwv66 6jFzG+wvAuA9GTlF8wE3xjc8JSsE2WUjL2ji5trHN9LLnMFccV3aJFwhy3 X-Received: by 2002:a05:690c:88b:b0:79a:daf7:c4fb with SMTP id 00721157ae682-7c564333efcmr23522777b3.50.1778591253072; Tue, 12 May 2026 06:07:33 -0700 (PDT) Received: from localhost.localdomain ([186.151.100.108]) by smtp.gmail.com with ESMTPSA id 00721157ae682-7bd6686ead7sm167459037b3.39.2026.05.12.06.07.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 May 2026 06:07:32 -0700 (PDT) From: Sebastian Alba Vives To: yilun.xu@linux.intel.com, gregkh@linuxfoundation.org Cc: linux-fpga@vger.kernel.org, conor.dooley@microchip.com, mdf@kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Sebastian Alba Vives Subject: [PATCH v6 3/3] fpga: microchip-spi: fix zero header_size OOB read in mpf_ops_parse_header() Date: Tue, 12 May 2026 07:07:10 -0600 Message-ID: <20260512130710.933089-4-sebasjosue84@gmail.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260512130710.933089-1-sebasjosue84@gmail.com> References: <20260512130710.933089-1-sebasjosue84@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit mpf_ops_parse_header() reads header_size from the bitstream at MPF_HEADER_SIZE_OFFSET (24). When header_size is zero, the expression *(buf + header_size - 1) reads one byte before the buffer start. Since initial_header_size is set to 71 in mpf_ops, the fpga-mgr core guarantees the buffer is always large enough to reach MPF_HEADER_SIZE_OFFSET. The only real gap is the zero header_size case, which cannot be resolved by providing a larger buffer, so return -EINVAL. Fixes: 5f8d4a9008307 ("fpga: microchip-spi: add Microchip MPF FPGA manager") Cc: stable@vger.kernel.org Signed-off-by: Sebastian Alba Vives --- Changes in v6: - Rebase onto linux-next. Add cover letter. Suggested by Xu Yilun. Changes in v5: - Drop redundant count check since initial_header_size = 71 already guarantees the buffer covers MPF_HEADER_SIZE_OFFSET. Suggested by Xu Yilun. --- drivers/fpga/microchip-spi.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/fpga/microchip-spi.c b/drivers/fpga/microchip-spi.c index 6134cea86..cc8f6d7bb 100644 --- a/drivers/fpga/microchip-spi.c +++ b/drivers/fpga/microchip-spi.c @@ -116,6 +116,9 @@ static int mpf_ops_parse_header(struct fpga_manager *mgr, } header_size = *(buf + MPF_HEADER_SIZE_OFFSET); + if (!header_size) + return -EINVAL; + if (header_size > count) { info->header_size = header_size; return -EAGAIN; -- 2.43.0