linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] firmware: arm_scpi: Fix string overflow in SCPI genpd driver
@ 2021-12-06 15:31 Sudeep Holla
  0 siblings, 0 replies; only message in thread
From: Sudeep Holla @ 2021-12-06 15:31 UTC (permalink / raw)
  To: linux-kernel; +Cc: Sudeep Holla, Pedro Batista, Cristian Marussi

Without the bound checks for scpi_pd->name, it could result in the buffer
overflow when copying the SCPI device name from the corresponding device
tree node as the name string is set at maximum size of 30.

Let us fix it by using kasprintf and devm_kstrdup so that the string
buffer is allocated dynamically.

Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd")
Reported-by: Pedro Batista <pedbap.g@gmail.com>
Cc: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
---
 drivers/firmware/scpi_pm_domain.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/drivers/firmware/scpi_pm_domain.c b/drivers/firmware/scpi_pm_domain.c
index 51201600d789..377272c06ac3 100644
--- a/drivers/firmware/scpi_pm_domain.c
+++ b/drivers/firmware/scpi_pm_domain.c
@@ -11,12 +11,12 @@
 #include <linux/of_platform.h>
 #include <linux/pm_domain.h>
 #include <linux/scpi_protocol.h>
+#include <linux/slab.h>

 struct scpi_pm_domain {
 	struct generic_pm_domain genpd;
 	struct scpi_ops *ops;
 	u32 domain;
-	char name[30];
 };

 /*
@@ -106,12 +106,18 @@ static int scpi_pm_domain_probe(struct platform_device *pdev)
 		return -ENOMEM;

 	for (i = 0; i < num_domains; i++, scpi_pd++) {
+		const char *name = kasprintf(GFP_KERNEL, "%pOFn%d", np, i);
+
 		domains[i] = &scpi_pd->genpd;

 		scpi_pd->domain = i;
 		scpi_pd->ops = scpi_ops;
-		sprintf(scpi_pd->name, "%pOFn.%d", np, i);
-		scpi_pd->genpd.name = scpi_pd->name;
+		scpi_pd->genpd.name = devm_kstrdup(dev, name, GFP_KERNEL);
+		if (!scpi_pd->genpd.name) {
+			dev_err(dev, "Failed to allocate genpd name for %s\n",
+				name);
+			continue;
+		}
 		scpi_pd->genpd.power_off = scpi_pd_power_off;
 		scpi_pd->genpd.power_on = scpi_pd_power_on;

@@ -122,6 +128,7 @@ static int scpi_pm_domain_probe(struct platform_device *pdev)
 		 * but for reference counting purpose, keep it this way.
 		 */
 		pm_genpd_init(&scpi_pd->genpd, NULL, true);
+		kfree(name);
 	}

 	scpi_pd_data->domains = domains;
--
2.25.1


^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2021-12-06 15:49 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-06 15:31 [PATCH] firmware: arm_scpi: Fix string overflow in SCPI genpd driver Sudeep Holla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).