nvmem: u-boot-env: error if NVMEM device is too small

[ Upstream commit 8679e8b4a1ebdb40c4429e49368d29353e07b601 ]

Verify data size before trying to parse it to avoid reading out of
buffer. This could happen in case of problems at MTD level or invalid DT
bindings.

Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
Cc: stable <stable@kernel.org>
Fixes: d5542923f200 ("nvmem: add driver handling U-Boot environment variables")
[rmilecki: simplify commit description & rebase]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20240902142510.71096-2-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/nvmem/u-boot-env.c b/drivers/nvmem/u-boot-env.c
index befbab156cda1fc6af00538d4805c247829a2952..adabbfdad6fb6d13b9c3b2226b920f8ced66a3d2 100644 (file)
--- a/drivers/nvmem/u-boot-env.c
+++ b/drivers/nvmem/u-boot-env.c
@@ -176,6 +176,13 @@ static int u_boot_env_parse(struct u_boot_env *priv)
                data_offset = offsetof(struct u_boot_env_image_broadcom, data);
                break;
        }
+
+       if (dev_size < data_offset) {
+               dev_err(dev, "Device too small for u-boot-env\n");
+               err = -EIO;
+               goto err_kfree;
+       }
+
        crc32_addr = (__le32 *)(buf + crc32_offset);
        crc32 = le32_to_cpu(*crc32_addr);
        crc32_data_len = dev_size - crc32_data_offset;