From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id D0B86C433EF for ; Mon, 27 Jun 2022 00:48:30 +0000 (UTC) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 04D77839CC; Mon, 27 Jun 2022 02:48:11 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=fail (p=none dis=none) header.from=arm.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Received: by phobos.denx.de (Postfix, from userid 109) id 205F083E7E; Mon, 27 Jun 2022 02:48:06 +0200 (CEST) Received: from foss.arm.com (foss.arm.com [217.140.110.172]) by phobos.denx.de (Postfix) with ESMTP id D665882104 for ; Mon, 27 Jun 2022 02:47:59 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=arm.com Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=andre.przywara@arm.com Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14]) by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id 80AFD12FC; Sun, 26 Jun 2022 17:47:59 -0700 (PDT) Received: from slackpad.lan (unknown [172.31.20.19]) by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id C78373F5A1; Sun, 26 Jun 2022 17:47:57 -0700 (PDT) Date: Sun, 26 Jun 2022 11:43:03 +0100 From: Andre Przywara To: Samuel Holland Cc: u-boot@lists.denx.de, Jagan Teki , Lukasz Majewski , Sean Anderson , Bin Meng , Heinrich Schuchardt , Maxime Ripard Subject: Re: [PATCH 2/7] clk: sunxi: Prevent out-of-bounds gate array access Message-ID: <20220626114303.002c8d3a@slackpad.lan> In-Reply-To: <20220509052937.42283-3-samuel@sholland.org> References: <20220509052937.42283-1-samuel@sholland.org> <20220509052937.42283-3-samuel@sholland.org> Organization: Arm Ltd. X-Mailer: Claws Mail 4.1.0 (GTK 3.24.31; x86_64-slackware-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de X-Virus-Status: Clean On Mon, 9 May 2022 00:29:32 -0500 Samuel Holland wrote: > Because the gate arrays are not given explicit sizes, the arrays are > only as large as the highest-numbered gate described in the driver. > However, only a subset of the CCU clocks are needed by U-Boot. So there > are valid clock specifiers with indexes greater than the size of the > arrays. Referencing any of these clocks causes out-of-bounds access. > Fix this by checking the identifier against the size of the array. > > Fixes: 0d47bc705651 ("clk: Add Allwinner A64 CLK driver") > Signed-off-by: Samuel Holland That's a good addition! Amended the patch to cover CCU_CLK_F_DUMMY_GATE. Reviewed-by: Andre Przywara Cheers, Andre > --- > > drivers/clk/sunxi/clk_sunxi.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/clk/sunxi/clk_sunxi.c b/drivers/clk/sunxi/clk_sunxi.c > index 9673b58a49..3108e5b66d 100644 > --- a/drivers/clk/sunxi/clk_sunxi.c > +++ b/drivers/clk/sunxi/clk_sunxi.c > @@ -18,6 +18,9 @@ > static const struct ccu_clk_gate *priv_to_gate(struct ccu_priv *priv, > unsigned long id) > { > + if (id >= priv->desc->num_gates) > + return NULL; > + > return &priv->desc->gates[id]; > } > > @@ -27,7 +30,7 @@ static int sunxi_set_gate(struct clk *clk, bool on) > const struct ccu_clk_gate *gate = priv_to_gate(priv, clk->id); > u32 reg; > > - if (!(gate->flags & CCU_CLK_F_IS_VALID)) { > + if (!gate || !(gate->flags & CCU_CLK_F_IS_VALID)) { > printf("%s: (CLK#%ld) unhandled\n", __func__, clk->id); > return 0; > }