| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250919032714.948213-1-joonwonkang@google.com>
Date: Fri, 19 Sep 2025 03:27:14 +0000
From: Joonwon Kang <joonwonkang@...gle.com>
To: jassisinghbrar@...il.com, peng.fan@....nxp.com
Cc: linux-kernel@...r.kernel.org, Joonwon Kang <joonwonkang@...gle.com>
Subject: [PATCH v3] mailbox: Prevent out-of-bounds access in of_mbox_index_xlate()
Although it is guided that `#mbox-cells` must be at least 1, there are
many instances of `#mbox-cells = <0>;` in the device tree. If that is
the case and the corresponding mailbox controller does not provide
`of_xlate` function pointer, `of_mbox_index_xlate()` will be used by
default and out-of-bounds accesses could occur due to lack of bounds
check in that function.
Signed-off-by: Joonwon Kang <joonwonkang@...gle.com>
---
drivers/mailbox/mailbox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c
index 5cd8ae222073..5bccdf27d6ab 100644
--- a/drivers/mailbox/mailbox.c
+++ b/drivers/mailbox/mailbox.c
@@ -476,7 +476,7 @@ of_mbox_index_xlate(struct mbox_controller *mbox,
{
int ind = sp->args[0];
- if (ind >= mbox->num_chans)
+ if (sp->args_count < 1 || ind >= mbox->num_chans)
return ERR_PTR(-EINVAL);
return &mbox->chans[ind];
--
2.51.0.470.ga7dc726c21-goog
Powered by blists - more mailing lists