tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

of: address: Report error on resource bounds overflow

The members "start" and "end" of struct resource are of type
"resource_size_t" which can be 32bit wide.
Values read from OF however are always 64bit wide.
Avoid silently truncating the value and instead return an error value.

This can happen on real systems when the DT was created for a
PAE-enabled kernel and a non-PAE kernel is actually running.
For example with an arm defconfig and "qemu-system-arm -M virt".

Link: https://bugs.launchpad.net/qemu/+bug/1790975
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Tested-by: Nam Cao <namcao@linutronix.de>
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20240905-of-resource-overflow-v1-1-0cd8bb92cc1f@linutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>

authored by

Thomas Weißschuh and committed by
Rob Herring (Arm) 000f6d58 05144ab7

+5
+5
drivers/of/address.c
··· 8 8 #include <linux/logic_pio.h> 9 9 #include <linux/module.h> 10 10 #include <linux/of_address.h> 11 + #include <linux/overflow.h> 11 12 #include <linux/pci.h> 12 13 #include <linux/pci_regs.h> 13 14 #include <linux/sizes.h> ··· 1062 1061 if (of_mmio_is_nonposted(dev)) 1063 1062 flags |= IORESOURCE_MEM_NONPOSTED; 1064 1063 1064 + if (overflows_type(taddr, r->start)) 1065 + return -EOVERFLOW; 1065 1066 r->start = taddr; 1067 + if (overflows_type(taddr + size - 1, r->end)) 1068 + return -EOVERFLOW; 1066 1069 r->end = taddr + size - 1; 1067 1070 r->flags = flags; 1068 1071 r->name = name ? name : dev->full_name;