rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

[ Upstream commit 3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c ]

The nvmem interface supports variable buffer sizes, while the regmap
interface operates with fixed-size storage. If an nvmem client uses a
buffer size less than 4 bytes, regmap_read will write out of bounds
as it expects the buffer to point at an unsigned int.

Fix this by using an intermediary unsigned int to hold the value.

Fixes: fadfd092ee91 ("rtc: pcf85063: add nvram support")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0ee0f046@pengutronix.de
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c
index 449204d84c61d8505696264e1d6a367c05a13111..dd3336cbb7921bf2c6c306164ba74f0d3957a7e3 100644 (file)
--- a/drivers/rtc/rtc-pcf85063.c
+++ b/drivers/rtc/rtc-pcf85063.c
@@ -328,7 +328,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops_alarm = {
 static int pcf85063_nvmem_read(void *priv, unsigned int offset,
                               void *val, size_t bytes)
 {
-       return regmap_read(priv, PCF85063_REG_RAM, val);
+       unsigned int tmp;
+       int ret;
+
+       ret = regmap_read(priv, PCF85063_REG_RAM, &tmp);
+       if (ret < 0)
+               return ret;
+
+       *(u8 *)val = tmp;
+
+       return 0;
 }
 
 static int pcf85063_nvmem_write(void *priv, unsigned int offset,