of: cpu: add check in __of_find_n_match_cpu_property()

In __of_find_n_match_cpu_property(), checking the variable ac for 0 won't
prevent a possible overflow when multiplying it by sizeof(*cell). Besides,
of_read_number() (called in the *for* loop) can't return correct result if
that variable (which equals the #address-cells prop's value) exceeds 2, so
additionally checking for that seems logical...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Fixes: f3cea45a77c8 ("of: Fix iteration bug over CPU reg properties")
Signed-off-by: Sergey Shtylyov <s.shtylyov@auroraos.dev>
Link: https://patch.msgid.link/0c7bf7e9-887c-42d5-bcfb-0ba7fe1e70b6@auroraos.dev
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>

diff --git a/drivers/of/cpu.c b/drivers/of/cpu.c
index 5214dc3d05ae178f29d476e6e34590ca1f357763..bd0e918d6f290ed087fd47e3563394573b89de62 100644 (file)
--- a/drivers/of/cpu.c
+++ b/drivers/of/cpu.c
@@ -60,7 +60,7 @@ static bool __of_find_n_match_cpu_property(struct device_node *cpun,
        cell = of_get_property(cpun, prop_name, &prop_len);
        if (!cell && !ac && arch_match_cpu_phys_id(cpu, 0))
                return true;
-       if (!cell || !ac)
+       if (!cell || !ac || ac > 2)
                return false;
        prop_len /= sizeof(*cell) * ac;
        for (tid = 0; tid < prop_len; tid++) {