| Message ID | 20220509052937.42283-3-samuel@sholland.org |
|---|---|
| State | Accepted |
| Delegated to: | Andre Przywara |
| Headers | show |
| Series | clk: sunxi: Out-of-bounds access fix and driver cleanup | expand |
On Mon, 9 May 2022 00:29:32 -0500 Samuel Holland <samuel@sholland.org> wrote: > Because the gate arrays are not given explicit sizes, the arrays are > only as large as the highest-numbered gate described in the driver. > However, only a subset of the CCU clocks are needed by U-Boot. So there > are valid clock specifiers with indexes greater than the size of the > arrays. Referencing any of these clocks causes out-of-bounds access. > Fix this by checking the identifier against the size of the array. > > Fixes: 0d47bc705651 ("clk: Add Allwinner A64 CLK driver") > Signed-off-by: Samuel Holland <samuel@sholland.org> That's a good addition! Amended the patch to cover CCU_CLK_F_DUMMY_GATE. Reviewed-by: Andre Przywara <andre.przywara@arm.com> Cheers, Andre > --- > > drivers/clk/sunxi/clk_sunxi.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/drivers/clk/sunxi/clk_sunxi.c b/drivers/clk/sunxi/clk_sunxi.c > index 9673b58a49..3108e5b66d 100644 > --- a/drivers/clk/sunxi/clk_sunxi.c > +++ b/drivers/clk/sunxi/clk_sunxi.c > @@ -18,6 +18,9 @@ > static const struct ccu_clk_gate *priv_to_gate(struct ccu_priv *priv, > unsigned long id) > { > + if (id >= priv->desc->num_gates) > + return NULL; > + > return &priv->desc->gates[id]; > } > > @@ -27,7 +30,7 @@ static int sunxi_set_gate(struct clk *clk, bool on) > const struct ccu_clk_gate *gate = priv_to_gate(priv, clk->id); > u32 reg; > > - if (!(gate->flags & CCU_CLK_F_IS_VALID)) { > + if (!gate || !(gate->flags & CCU_CLK_F_IS_VALID)) { > printf("%s: (CLK#%ld) unhandled\n", __func__, clk->id); > return 0; > }
diff --git a/drivers/clk/sunxi/clk_sunxi.c b/drivers/clk/sunxi/clk_sunxi.c index 9673b58a49..3108e5b66d 100644 --- a/drivers/clk/sunxi/clk_sunxi.c +++ b/drivers/clk/sunxi/clk_sunxi.c @@ -18,6 +18,9 @@ static const struct ccu_clk_gate *priv_to_gate(struct ccu_priv *priv, unsigned long id) { + if (id >= priv->desc->num_gates) + return NULL; + return &priv->desc->gates[id]; } @@ -27,7 +30,7 @@ static int sunxi_set_gate(struct clk *clk, bool on) const struct ccu_clk_gate *gate = priv_to_gate(priv, clk->id); u32 reg; - if (!(gate->flags & CCU_CLK_F_IS_VALID)) { + if (!gate || !(gate->flags & CCU_CLK_F_IS_VALID)) { printf("%s: (CLK#%ld) unhandled\n", __func__, clk->id); return 0; }
Because the gate arrays are not given explicit sizes, the arrays are only as large as the highest-numbered gate described in the driver. However, only a subset of the CCU clocks are needed by U-Boot. So there are valid clock specifiers with indexes greater than the size of the arrays. Referencing any of these clocks causes out-of-bounds access. Fix this by checking the identifier against the size of the array. Fixes: 0d47bc705651 ("clk: Add Allwinner A64 CLK driver") Signed-off-by: Samuel Holland <samuel@sholland.org> --- drivers/clk/sunxi/clk_sunxi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)