]> git.ipfire.org Git - thirdparty/kernel/stable.git/commitdiff
projects / thirdparty / kernel / stable.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7aa077d)
watchdog: ziirave_wdt: check record length in ziirave_firm_verify()
authorDan Carpenter <dan.carpenter@linaro.org>
Wed, 28 May 2025 20:22:19 +0000 (23:22 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 15 Aug 2025 10:13:55 +0000 (12:13 +0200)
[ Upstream commit 8b61d8ca751bc15875b50e0ff6ac3ba0cf95a529 ]

The "rec->len" value comes from the firmware.  We generally do
trust firmware, but it's always better to double check.  If
the length value is too large it would lead to memory corruption
when we set "data[i] = ret;"

Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/3b58b453f0faa8b968c90523f52c11908b56c346.1748463049.git.dan.carpenter@linaro.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
drivers/watchdog/ziirave_wdt.c patch | blob | blame | history

diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
index 775838346bb50b5fe939d71444e2762144d42145..09d6721c7bfa5921c0cbfaa25e470152189fb66e 100644 (file)
--- a/drivers/watchdog/ziirave_wdt.c
+++ b/drivers/watchdog/ziirave_wdt.c
@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
                const u16 len = be16_to_cpu(rec->len);
                const u32 addr = be32_to_cpu(rec->addr);
 
+               if (len > sizeof(data))
+                       return -EINVAL;
+
                if (ziirave_firm_addr_readonly(addr))
                        continue;
 
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git