diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2026-06-16 07:21:48 +0530 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2026-06-16 07:21:48 +0530 |
| commit | fd1878584db2f0ab3fe8f2b3d8d59316fffa47fa (patch) | |
| tree | 1c1ed6f794fd9d2bb3a15f5192dca26ffa4f00ab | |
| parent | 2b5f5609ae9b218c9ee0cdb7f624ddb03d44cf84 (diff) | |
| parent | 86e3bbc716332600e9e087f8a4889f4d9714a99c (diff) | |
Merge tag 'chrome-platform-firmware-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux
Pull chrome-platform firmware updates from Tzung-Bi Shih:
- Add bound checks when iterating the coreboot table
- Skip failing entries only instead of aborting the whole device
populate from the coreboot table
* tag 'chrome-platform-firmware-v7.2' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux:
firmware: google: Skip failing entries instead of aborting populate
firmware: google: Add bounds checks in coreboot_table_populate()
| -rw-r--r-- | drivers/firmware/google/coreboot_table.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c index c769631ea15d..83f7eedf0b3f 100644 --- a/drivers/firmware/google/coreboot_table.c +++ b/drivers/firmware/google/coreboot_table.c @@ -112,16 +112,20 @@ void coreboot_driver_unregister(struct coreboot_driver *driver) } EXPORT_SYMBOL(coreboot_driver_unregister); -static int coreboot_table_populate(struct device *dev, void *ptr) +static int coreboot_table_populate(struct device *dev, void *ptr, resource_size_t len) { int i, ret; void *ptr_entry; struct coreboot_device *device; struct coreboot_table_entry *entry; struct coreboot_table_header *header = ptr; + void *ptr_end; + ptr_end = ptr + len; ptr_entry = ptr + header->header_bytes; for (i = 0; i < header->table_entries; i++) { + if (ptr_entry + sizeof(*entry) > ptr_end) + return -EINVAL; entry = ptr_entry; if (entry->size < sizeof(*entry)) { @@ -129,6 +133,9 @@ static int coreboot_table_populate(struct device *dev, void *ptr) return -EINVAL; } + if (ptr_entry + entry->size > ptr_end) + return -EINVAL; + device = kzalloc(sizeof(device->dev) + entry->size, GFP_KERNEL); if (!device) return -ENOMEM; @@ -148,13 +155,13 @@ static int coreboot_table_populate(struct device *dev, void *ptr) break; } + ptr_entry += entry->size; + ret = device_register(&device->dev); if (ret) { + dev_warn(dev, "failed to register coreboot device: %d\n", ret); put_device(&device->dev); - return ret; } - - ptr_entry += entry->size; } return 0; @@ -194,7 +201,7 @@ static int coreboot_table_probe(struct platform_device *pdev) if (!ptr) return -ENOMEM; - ret = coreboot_table_populate(dev, ptr); + ret = coreboot_table_populate(dev, ptr, len); memunmap(ptr); |