| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aFMCQhOSoaMnccNA@lizhi-Precision-Tower-5810>
Date: Wed, 18 Jun 2025 14:15:30 -0400
From: Frank Li <Frank.li@....com>
To: Xiaolei Wang <xiaolei.wang@...driver.com>
Cc: abelvesa@...nel.org, peng.fan@....com, mturquette@...libre.com,
sboyd@...nel.org, shawnguo@...nel.org, s.hauer@...gutronix.de,
kernel@...gutronix.de, festevam@...il.com,
linux-clk@...r.kernel.org, imx@...ts.linux.dev,
linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] clk: imx: Fix an out-of-bounds access in
dispmix_csr_clk_dev_data
On Wed, Jun 18, 2025 at 02:53:18PM +0800, Xiaolei Wang wrote:
> When num_parents is 4, __clk_register() occurs an out-of-bounds
> when accessing parent_names member. Use ARRAY_SIZE() instead of
> hardcode number here.
>
> BUG: KASAN: global-out-of-bounds in __clk_register+0x1844/0x20d8
> Read of size 8 at addr ffff800086988e78 by task kworker/u24:3/59
> Hardware name: NXP i.MX95 19X19 board (DT)
> Workqueue: events_unbound deferred_probe_work_func
> Call trace:
> dump_backtrace+0x94/0xec
> show_stack+0x18/0x24
> dump_stack_lvl+0x8c/0xcc
> print_report+0x398/0x5fc
> kasan_report+0xd4/0x114
> __asan_report_load8_noabort+0x20/0x2c
> __clk_register+0x1844/0x20d8
> clk_hw_register+0x44/0x110
> __clk_hw_register_mux+0x284/0x3a8
> imx95_bc_probe+0x4f4/0xa70
>
> Fixes: 5224b189462f ("clk: imx: add i.MX95 BLK CTL clk driver")
> Signed-off-by: Xiaolei Wang <xiaolei.wang@...driver.com>
You need cc stable.
Reviewed-by: Frank Li <Frank.Li@....com>
> ---
> v1:
> https://patchwork.kernel.org/project/linux-arm-kernel/patch/20250614112255.2838154-1-xiaolei.wang@windriver.com/
> v2:
> Use ARRAY_SIZE() instead of hardcode number here.
>
> drivers/clk/imx/clk-imx95-blk-ctl.c | 12 ++++++++----
> 1 file changed, 8 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/clk/imx/clk-imx95-blk-ctl.c b/drivers/clk/imx/clk-imx95-blk-ctl.c
> index 25974947ad0c..cc2ee2be1819 100644
> --- a/drivers/clk/imx/clk-imx95-blk-ctl.c
> +++ b/drivers/clk/imx/clk-imx95-blk-ctl.c
> @@ -219,11 +219,15 @@ static const struct imx95_blk_ctl_dev_data lvds_csr_dev_data = {
> .clk_reg_offset = 0,
> };
>
> +static const char * const disp_engine_parents[] = {
> + "videopll1", "dsi_pll", "ldb_pll_div7"
> +};
> +
> static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
> [IMX95_CLK_DISPMIX_ENG0_SEL] = {
> .name = "disp_engine0_sel",
> - .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
> - .num_parents = 4,
> + .parent_names = disp_engine_parents,
> + .num_parents = ARRAY_SIZE(disp_engine_parents),
> .reg = 0,
> .bit_idx = 0,
> .bit_width = 2,
> @@ -232,8 +236,8 @@ static const struct imx95_blk_ctl_clk_dev_data dispmix_csr_clk_dev_data[] = {
> },
> [IMX95_CLK_DISPMIX_ENG1_SEL] = {
> .name = "disp_engine1_sel",
> - .parent_names = (const char *[]){"videopll1", "dsi_pll", "ldb_pll_div7", },
> - .num_parents = 4,
> + .parent_names = disp_engine_parents,
> + .num_parents = ARRAY_SIZE(disp_engine_parents),
> .reg = 0,
> .bit_idx = 2,
> .bit_width = 2,
> --
> 2.43.0
>
Powered by blists - more mailing lists