[PATCH] firmware: arm_scmi: Fix OOB in scmi_power_name_get()
Geert Uytterhoeven
geert at linux-m68k.org
Fri May 22 00:56:32 PDT 2026
Hi Sudeep,
On Thu, 21 May 2026 at 18:26, Sudeep Holla <sudeep.holla at kernel.org> wrote:
> On Fri, May 15, 2026 at 11:59:15AM +0200, Geert Uytterhoeven wrote:
> > scmi_power_name_get() does not validate the domain number passed by the
> > external caller, which may lead to an out-of-bounds access.
> >
> > Fix this by returning "unknown" for invalid domains, like
> > scmi_reset_name_get() does.
> >
> > Fixes: 76a6550990e296a7 ("firmware: arm_scmi: add initial support for power protocol")
> > Signed-off-by: Geert Uytterhoeven <geert+renesas at glider.be>
> > ---
> > drivers/firmware/arm_scmi/power.c | 6 +++++-
> > 1 file changed, 5 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/firmware/arm_scmi/power.c b/drivers/firmware/arm_scmi/power.c
> > index 3aa84ceb6d2bab68..4a7215e02dec035d 100644
> > --- a/drivers/firmware/arm_scmi/power.c
> > +++ b/drivers/firmware/arm_scmi/power.c
> > @@ -204,8 +204,12 @@ scmi_power_name_get(const struct scmi_protocol_handle *ph,
> > u32 domain)
> > {
> > struct scmi_power_info *pi = ph->get_priv(ph);
> > - struct power_dom_info *dom = pi->dom_info + domain;
> > + struct power_dom_info *dom;
> > +
> > + if (domain >= pi->num_domains)
> > + return "unknown";
>
> The only user of this function must not call it for domain >= pi->num_domains.
> However, I am thinking if it is bit inconsistent within SCMI core now. I like
> the way pinmux/ctl handles this as I don't like the alternative for this
> (i.e. ERRPTR(-EINVAL or something)). Worst case if this ever causes issue
> we can change the signature of the scmi_{power,reset}_name_get to follow
> something like pinmux and update the users. Thoughts ? Happy to apply this
> for now.
You mean returning an int error code using return statements, and
returning the objects using passed function pointers?
Depends on the number of returned objects: if it's just one (e.g. a
name or info pointer), then the valid pointer/error pointer idiom is
very common in Linux.
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert at linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
More information about the linux-arm-kernel
mailing list