From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 02BC639448F for ; Tue, 19 May 2026 08:47:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779180422; cv=none; b=Ir3odDMlN7AI1BtswBzjz+8EVV8wFR3L5JRuuhhqdykmiYa5b7Tkcg61jxASXpYRy4WsVBJxxIhab2fkzkJ9B00xJ019F7e0DvqAQI+pJARO/ycgwGiU+8+A2VbMMWsj2OiYUy4hErxuAmmJbIa64joPLBo2jNjDCDoy5cSvj+A= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779180422; c=relaxed/simple; bh=juDUcsZNIvzbRmHpWcCfezrV4oTSuq5bTHew7YfXdp0=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=AmX6miaUWOchvtd7xnVhl7Uvb5SnK1p4kMvgmhsb1IsihigJ3HEbwAd5iy1DXm5rNmVZgn0nWNayghuT8neqANpRTFl2cIUZ01xvoVTn4q/6UKwl8B1SJGi9TDZLDnKocrEGV0OUMeETSYT+/CwEsW+xFVSD1ZeTLRZ6qTVRLcY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=iu5D4NbC; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="iu5D4NbC" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-48a563e4ef7so26642465e9.0 for ; Tue, 19 May 2026 01:47:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779180419; x=1779785219; darn=vger.kernel.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=vlT44GAjdS7aAUiPvcR24JmsWeLTVxOUHH60gHBMn6A=; b=iu5D4NbCuoH4UkB1D09zloU7T8ZCg6Y6Gs5fkTUtTxAaR3OZjmGe3yE2K2vDM2l149 697MWsCpHkItF+gHzERU/5LSBRbgh9xfR0sRBR+sIfMWpQdqlSb1MrplxnWVZoM3aw5U TH9zEdcBB4MwAasTMKcIJNxImXNLBtoTNcK8ep21zodvPR7vKrn5RA3I/Siloi4TInRM 1HlFzfVRvj69G/4Seo7Mo9DdcYJL2eR7K2wfYN1RXezfHPL/SMQaFpZN9CShLvMlIemW +YsGTZiNyVo/jpCQr1U3vZA8R06C4LM+zp1wwcp/YUqO/FZCpfEkRx2LFXWICCroL3iX Ey9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779180419; x=1779785219; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=vlT44GAjdS7aAUiPvcR24JmsWeLTVxOUHH60gHBMn6A=; b=spOxrTYt7jpre3xY58FPBkvTsD2XC0LAV+yjEs9KQ07cLu/EEoEiebbR1aYvEXbtrH lp1GYdYg0m8tZYQh8+S1NMhvqMx0ufy1axqx5axzwCGqyO8XAHCs3eQzfovQGb13vK5J treHBagAPzM66/yeRP07WCpvDSjUZo2z9DTrlRIHX5MBNV2JkKcEnDtx41xq8eUBmRFS Bb/OHoG4peF32HHkdrhvJra1kR20JknF3OgPe+PAeU8/xpLIW3Urh7uPmZTn6YyG3iQr a0xnPZn/vRHnJciX8wERd8s0gFTDQw3c4XLOUAGDZO2djZlWcfqf83AQ4xRHXKANK8ER 5bxA== X-Forwarded-Encrypted: i=1; AFNElJ9EqqNAd5i/H647llvTv1ctjSdj3R+3S2Q/f4yhPfEydLVS5KZNwrtaomKgMVYlW7mX31sZrvqaqVBCXS8=@vger.kernel.org X-Gm-Message-State: AOJu0YxC7VNmwQtrqqTGzJnGxlk0aSJu39Ah7wriH72KPZhSSE1XxRAl RNUzuPc3hO4bF+rtFgvL4V7jUkokVdxSBz+94RVlfZOsD9+auS3xVSRO X-Gm-Gg: Acq92OHk69RX54+ZaPbQJAHKaFIRNCQ9ZDgy6Gk1PA8wH3rWihPNqAr/Q65VjtzqGe0 H2Il9VYYKF2mNIZJMJPC9tTs/+NM6XOVz+yKpVdSTgbTF7fjXz1u1Rej3Vpm66Cw5bEDkxq30X5 PU2sP9goQ545rrPujKJ3DH89MMFi0nm8r7qYa/MKIvllJpffXSA+tK+XRyBCj3iD7EMaDZIQx04 /kM32NVbmyy0XTCf5GmCVNpNlQo4aRitqZd3m5xABRPGfWyKZ7BkZDRIFH7zaRf+tEpBL9ZaALh CeMI1H8NG2ecSEjxor6yYMH2ncPMPd3IgwvWHgDSXEsTwPWbCm8Iicz4qf+O7bh+nIyldzUwyGM pXeWxWsSVKuTXn/txkflUM8/u45yLTHTrgvy2TkiF5giAnWfM67FoM+yp99bqHqdCoSjBTtSs3G QPRJiA96zmAbCylcWvmayVghE= X-Received: by 2002:a05:600c:630a:b0:48f:e249:4094 with SMTP id 5b1f17b1804b1-48fe632663emr343949425e9.18.1779180419176; Tue, 19 May 2026 01:46:59 -0700 (PDT) Received: from localhost ([196.207.164.177]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-48fe4c8344asm529862995e9.1.2026.05.19.01.46.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 19 May 2026 01:46:58 -0700 (PDT) Date: Tue, 19 May 2026 11:46:55 +0300 From: Dan Carpenter To: Cristian Marussi Cc: Geert Uytterhoeven , Sudeep Holla , arm-scmi@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get() Message-ID: References: <75caae28bdffb55199a0bc6cac5df112a966c608.1778838987.git.geert+renesas@glider.be> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Tue, May 19, 2026 at 09:36:40AM +0100, Cristian Marussi wrote: > On Fri, May 15, 2026 at 01:10:56PM +0100, Cristian Marussi wrote: > > On Fri, May 15, 2026 at 02:00:24PM +0200, Geert Uytterhoeven wrote: > > > Hi Cristian, > > > > > > On Fri, 15 May 2026 at 13:46, Cristian Marussi wrote: > > > > On Fri, May 15, 2026 at 01:29:27PM +0200, Geert Uytterhoeven wrote: > > > > > On Fri, 15 May 2026 at 12:28, Dan Carpenter wrote: > > > > > > On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote: > > > > > > > scmi_power_name_get() does not validate the domain number passed by the > > > > > > > external caller, which may lead to an out-of-bounds access. > > > > > > > > > > > > Is an external caller an out of tree caller? So far as I can see this > > > > > > > > > > I meant a caller outside drivers/firmware/arm_scmi/. > > > > > > > > > > > is only called by scmi_pm_domain_probe(). > > > > > > > > > > > > scmi_pd->name = power_ops->name_get(ph, i); > > > > > > > > > > > > where i < num_domains. > > > > > > > > > > You are right. But this seems to be only API implementation in > > > > > drivers/firmware/arm_scmi/ that does not validate the passed domain > > > > > number. > > > > > > > > Yes we tend to validate protocol operations calls even if apparently > > > > safe from teh caller perspective...indeed I have this fixed locally > > > > since ages in an horrible patch, that does a lot more, and that I > > > > never posted :P > > > > > > > > Usually, if it is worth, we also build an internal domain get helper to > > > > reuse across the protocol unit...but here really there are only 2 call-sites. > > > > > > > > What I am not sure is what to return: "unknown" is safer as of now than NULL > > > > for sure, but really, what happened is NOT that the name was "unknown" (which > > > > by itself would be out-of-spec behaviour) it is more that the whole domain that > > > > was referred to that was invalid and NOT existent... > > > > > > > > ....mmm I suppose we are opening another can of worms here :P > > > > > > Like scmi_perf_info_get() returning ERR_PTR(-EINVAL) instead of NULL, > > > and scmi_perf_domain_probe() never checking the return value anyway? > > > > ...oh probably more than that...and related vendor FW that already exploits > > these missing checks here and there to arbitrarily skip domains and return > > out-of-spec non-contigous sets of domains becasue they cannot bother to > > implement properly the spec (or they have simply forked their codebase from > > an old drop and never updated it again...)...so that any kernel-side fix > > you made along the road carries the risk of breaking something and a string > > of possibly needed quirks... > > Anyway, it is the safest option on the table until proper checks are in place. > > Reviewed-by: Cristian Marussi If it has a description like this then it's absolutely going to get a CVE assigned. We're used to hundreds of CVEs and all but I really feel like this is a bad habit. regards, dan carpenter