* [PATCH] nvmem: brcm_nvram: fix out-of-bounds access on malformed flash data
@ 2026-07-03 22:28 Rosen Penev
2026-07-16 21:24 ` Srinivas Kandagatla
0 siblings, 1 reply; 2+ messages in thread
From: Rosen Penev @ 2026-07-03 22:28 UTC (permalink / raw)
To: linux-kernel; +Cc: Srinivas Kandagatla, rafal
The length check in brcm_nvram_parse() validated header->len against
priv->nvmem_size (the full partition size) instead of priv->data_len
(the actual allocated data buffer). A malformed flash partition with
header->len between the two would pass the check, causing
brcm_nvram_add_cells() to read and write priv->data[len - 1] beyond
the heap allocation.
Also add a minimum bound: len < sizeof(*header) could underflow the
data[len - 1] access.
Fix both bounds by rejecting len outside [sizeof(*header), priv->data_len].
Assisted-by: opencode:big-pickle
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
drivers/nvmem/brcm_nvram.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/nvmem/brcm_nvram.c b/drivers/nvmem/brcm_nvram.c
index aaa6537798bf..a29183ecd3e0 100644
--- a/drivers/nvmem/brcm_nvram.c
+++ b/drivers/nvmem/brcm_nvram.c
@@ -187,9 +187,13 @@ static int brcm_nvram_parse(struct brcm_nvram *priv)
}
len = le32_to_cpu(header->len);
- if (len > priv->nvmem_size) {
- dev_err(dev, "NVRAM length (%zd) exceeds mapped size (%zd)\n", len,
- priv->nvmem_size);
+ if (len < sizeof(*header)) {
+ dev_err(dev, "NVRAM length (%zd) too small\n", len);
+ return -EINVAL;
+ }
+ if (len > priv->data_len) {
+ dev_err(dev, "NVRAM length (%zd) exceeds data size (%zd)\n", len,
+ priv->data_len);
return -EINVAL;
}
--
2.55.0
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: [PATCH] nvmem: brcm_nvram: fix out-of-bounds access on malformed flash data
2026-07-03 22:28 [PATCH] nvmem: brcm_nvram: fix out-of-bounds access on malformed flash data Rosen Penev
@ 2026-07-16 21:24 ` Srinivas Kandagatla
0 siblings, 0 replies; 2+ messages in thread
From: Srinivas Kandagatla @ 2026-07-16 21:24 UTC (permalink / raw)
To: linux-kernel, Rosen Penev; +Cc: rafal
On Fri, 03 Jul 2026 15:28:52 -0700, Rosen Penev wrote:
> The length check in brcm_nvram_parse() validated header->len against
> priv->nvmem_size (the full partition size) instead of priv->data_len
> (the actual allocated data buffer). A malformed flash partition with
> header->len between the two would pass the check, causing
> brcm_nvram_add_cells() to read and write priv->data[len - 1] beyond
> the heap allocation.
>
> [...]
Applied, thanks!
[1/1] nvmem: brcm_nvram: fix out-of-bounds access on malformed flash data
commit: 95e486974c4a0a567e57212fcfca82b372dd8df6
Best regards,
--
Srinivas Kandagatla <srini@kernel.org>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-16 21:24 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-07-03 22:28 [PATCH] nvmem: brcm_nvram: fix out-of-bounds access on malformed flash data Rosen Penev
2026-07-16 21:24 ` Srinivas Kandagatla
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome