firmware: arm_scpi: Fix string overflow in SCPI genpd driver

PlaidCat · PlaidCat · commit 773ba5bb5a4a · 2025-06-06T13:30:48.000-04:00
jira LE-3201 cve CVE-2021-47609 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10 commit-author Sudeep Holla <sudeep.holla@arm.com> commit 865ed67 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/865ed67a.failed Without the bound checks for scpi_pd->name, it could result in the buffer overflow when copying the SCPI device name from the corresponding device tree node as the name string is set at maximum size of 30. Let us fix it by using devm_kasprintf so that the string buffer is allocated dynamically. Fixes: 8bec433 ("firmware: scpi: add device power domain support using genpd") Reported-by: Pedro Batista <pedbap.g@gmail.com> Signed-off-by: Sudeep Holla <sudeep.holla@arm.com> Cc: stable@vger.kernel.org Cc: Cristian Marussi <cristian.marussi@arm.com> Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com' Signed-off-by: Arnd Bergmann <arnd@arndb.de> (cherry picked from commit 865ed67) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # drivers/firmware/scpi_pm_domain.c
diff --git a/ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/865ed67a.failed b/ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/865ed67a.failed
@@ -0,0 +1,54 @@
+firmware: arm_scpi: Fix string overflow in SCPI genpd driver
+
+jira LE-3201
+cve CVE-2021-47609
+Rebuild_History Non-Buildable kernel-rt-4.18.0-553.22.1.rt7.363.el8_10
+commit-author Sudeep Holla <sudeep.holla@arm.com>
+commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-rt-4.18.0-553.22.1.rt7.363.el8_10/865ed67a.failed
+
+Without the bound checks for scpi_pd->name, it could result in the buffer
+overflow when copying the SCPI device name from the corresponding device
+tree node as the name string is set at maximum size of 30.
+
+Let us fix it by using devm_kasprintf so that the string buffer is
+allocated dynamically.
+
+Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd")
+	Reported-by: Pedro Batista <pedbap.g@gmail.com>
+	Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+	Cc: stable@vger.kernel.org
+	Cc: Cristian Marussi <cristian.marussi@arm.com>
+Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com'
+	Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+(cherry picked from commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	drivers/firmware/scpi_pm_domain.c
+diff --cc drivers/firmware/scpi_pm_domain.c
+index f395dec27113,800673910b51..000000000000
+--- a/drivers/firmware/scpi_pm_domain.c
++++ b/drivers/firmware/scpi_pm_domain.c
+@@@ -121,8 -109,13 +120,18 @@@ static int scpi_pm_domain_probe(struct 
+  
+  		scpi_pd->domain = i;
+  		scpi_pd->ops = scpi_ops;
+++<<<<<<< HEAD
+ +		sprintf(scpi_pd->name, "%s.%d", np->name, i);
+ +		scpi_pd->genpd.name = scpi_pd->name;
+++=======
++ 		scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL,
++ 						     "%pOFn.%d", np, i);
++ 		if (!scpi_pd->genpd.name) {
++ 			dev_err(dev, "Failed to allocate genpd name:%pOFn.%d\n",
++ 				np, i);
++ 			continue;
++ 		}
+++>>>>>>> 865ed67ab955 (firmware: arm_scpi: Fix string overflow in SCPI genpd driver)
+  		scpi_pd->genpd.power_off = scpi_pd_power_off;
+  		scpi_pd->genpd.power_on = scpi_pd_power_on;
+  
+* Unmerged path drivers/firmware/scpi_pm_domain.c
