From: Andrew Goodbody <andrew.goodbody@linaro.org>
Date: Thu, 3 Jul 2025 10:00:33 +0000 (+0100)
Subject: cros_ec: sandbox: Use correct value for number of slots
X-Git-Tag: v2025.10-rc1~76
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bae3a34cb9e6b3ce6d01f68cdd34cdd45419f22f;p=thirdparty%2Fu-boot.git

cros_ec: sandbox: Use correct value for number of slots

In the definition of struct ec_state the number of slots that are
created is VSTORE_SLOT_COUNT (==4) but the value of req->slot is
checked against EC_VSTORE_SLOT_MAX (==32) so this can lead to memory
access beyond that allocated.
Instead change the size check to use VSTORE_SLOT_COUNT to ensure it
matches what has actually been allocated.

This issue found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
---

diff --git a/drivers/misc/cros_ec_sandbox.c b/drivers/misc/cros_ec_sandbox.c
index 3ac690a3733..432b1fbb0c4 100644
--- a/drivers/misc/cros_ec_sandbox.c
+++ b/drivers/misc/cros_ec_sandbox.c
@@ -540,7 +540,7 @@ static int process_cmd(struct ec_state *ec,
 		const struct ec_params_vstore_write *req = req_data;
 		struct vstore_slot *slot;
 
-		if (req->slot >= EC_VSTORE_SLOT_MAX)
+		if (req->slot >= VSTORE_SLOT_COUNT)
 			return -EINVAL;
 		slot = &ec->slot[req->slot];
 		slot->locked = true;
@@ -553,7 +553,7 @@ static int process_cmd(struct ec_state *ec,
 		struct ec_response_vstore_read *resp = resp_data;
 		struct vstore_slot *slot;
 
-		if (req->slot >= EC_VSTORE_SLOT_MAX)
+		if (req->slot >= VSTORE_SLOT_COUNT)
 			return -EINVAL;
 		slot = &ec->slot[req->slot];
 		memcpy(resp->data, slot->data, EC_VSTORE_SLOT_SIZE);