firmware: google: Add bounds checks in coreboot_table_populate()

coreboot_table_populate() iterates over firmware-provided table entries
with no validation that the entries stay within the mapped memory
region.  A corrupt table with a large `entry->size` advances `ptr_entry`
past the mapped region, causing an out-of-bounds read on the next
iteration.

Add a check before dereferencing `ptr_entry` to ensure the entry header
is readable, and a second check after reading `entry->size` to ensure
the full entry stays within the mapped region.

Pass `len` from coreboot_table_probe() into coreboot_table_populate() to
make the mapped region size available for validation.

Signed-off-by: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Link: https://lore.kernel.org/r/20260426214739.117131-1-titouan.ameline@gmail.com
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>

diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c
index c769631ea15d788e915cbe6b1f6e62526ad7d135..233939e548b44d60fc8b839d9ff0b9e48468140f 100644 (file)
--- a/drivers/firmware/google/coreboot_table.c
+++ b/drivers/firmware/google/coreboot_table.c
@@ -112,16 +112,20 @@ void coreboot_driver_unregister(struct coreboot_driver *driver)
 }
 EXPORT_SYMBOL(coreboot_driver_unregister);
 
-static int coreboot_table_populate(struct device *dev, void *ptr)
+static int coreboot_table_populate(struct device *dev, void *ptr, resource_size_t len)
 {
        int i, ret;
        void *ptr_entry;
        struct coreboot_device *device;
        struct coreboot_table_entry *entry;
        struct coreboot_table_header *header = ptr;
+       void *ptr_end;
 
+       ptr_end = ptr + len;
        ptr_entry = ptr + header->header_bytes;
        for (i = 0; i < header->table_entries; i++) {
+               if (ptr_entry + sizeof(*entry) > ptr_end)
+                       return -EINVAL;
                entry = ptr_entry;
 
                if (entry->size < sizeof(*entry)) {
@@ -129,6 +133,9 @@ static int coreboot_table_populate(struct device *dev, void *ptr)
                        return -EINVAL;
                }
 
+               if (ptr_entry + entry->size > ptr_end)
+                       return -EINVAL;
+
                device = kzalloc(sizeof(device->dev) + entry->size, GFP_KERNEL);
                if (!device)
                        return -ENOMEM;
@@ -194,7 +201,7 @@ static int coreboot_table_probe(struct platform_device *pdev)
        if (!ptr)
                return -ENOMEM;
 
-       ret = coreboot_table_populate(dev, ptr);
+       ret = coreboot_table_populate(dev, ptr, len);
 
        memunmap(ptr);