Re: [PATCH 2/3] watchdog: ziirave_wdt: check record length in ziirave_firm_verify()

From: Guenter Roeck
Date: Mon Jun 02 2025 - 10:28:04 EST

Next message: Frank Li: "[PATCH 1/1] dt-bindings: memory-controllers: convert arm,pl172.txt to yaml format"
Previous message: Yury Khrustalev: "Re: Extending clone_args for clone3()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 5/28/25 13:22, Dan Carpenter wrote:

The "rec->len" value comes from the firmware. We generally do
trust firmware, but it's always better to double check. If
the length value is too large it would lead to memory corruption
when we set "data[i] = ret;"

Fixes: 217209db0204 ("watchdog: ziirave_wdt: Add support to upload the firmware.")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Reviewed-by: Guenetr Roeck <linux@xxxxxxxxxxxx>

---
drivers/watchdog/ziirave_wdt.c | 3 +++
1 file changed, 3 insertions(+)

diff --git a/drivers/watchdog/ziirave_wdt.c b/drivers/watchdog/ziirave_wdt.c
index fcc1ba02e75b..5c6e3fa001d8 100644
--- a/drivers/watchdog/ziirave_wdt.c
+++ b/drivers/watchdog/ziirave_wdt.c
@@ -302,6 +302,9 @@ static int ziirave_firm_verify(struct watchdog_device *wdd,
const u16 len = be16_to_cpu(rec->len);
const u32 addr = be32_to_cpu(rec->addr);
+ if (len > sizeof(data))
+ return -EINVAL;
+
if (ziirave_firm_addr_readonly(addr))
continue;

Next message: Frank Li: "[PATCH 1/1] dt-bindings: memory-controllers: convert arm,pl172.txt to yaml format"
Previous message: Yury Khrustalev: "Re: Extending clone_args for clone3()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]