Commit ca250caa authored Mar 29, 2025 by Cristian Marussi Committed by Gu Bowen Mar 29, 2025

firmware: arm_scmi: Fix list protocols enumeration in the base protocol

stable inclusion
from stable-v4.19.247
commit 444a2d27fe9867d0da4b28fc45b793f32e099ab8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP2JX
CVE: CVE-2022-49451

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=444a2d27fe9867d0da4b28fc45b793f32e099ab8

--------------------------------

[ Upstream commit 8009120e ]

While enumerating protocols implemented by the SCMI platform using
BASE_DISCOVER_LIST_PROTOCOLS, the number of returned protocols is
currently validated in an improper way since the check employs a sum
between unsigned integers that could overflow and cause the check itself
to be silently bypassed if the returned value 'loop_num_ret' is big
enough.

Fix the validation avoiding the addition.

Link: https://lore.kernel.org/r/20220330150551.2573938-4-cristian.marussi@arm.com


Fixes: b6f20ff8 ("firmware: arm_scmi: add common infrastructure and support for base protocol")
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Gu Bowen <gubowen5@huawei.com>

parent 16bceab9

drivers/firmware/arm_scmi/base.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -164,7 +164,7 @@ static int scmi_base_implementation_list_get(const struct scmi_handle *handle,
		break;

		loop_num_ret = le32_to_cpu(*num_ret);
		if (tot_num_ret + loop_num_ret > MAX_PROTOCOLS_IMP) {
		if (loop_num_ret > MAX_PROTOCOLS_IMP - tot_num_ret) {
		dev_err(dev, "No. of Protocol > MAX_PROTOCOLS_IMP");
		break;
		}