Commit fc30b6e7 authored Mar 13, 2025 by Oleksij Rempel Committed by Liao Chen Mar 13, 2025

rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

stable inclusion
from stable-v6.6.78
commit 9adefa7b9559d0f21034a5d5ec1b55840c9348b9
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBREBH
CVE: CVE-2024-58069

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9adefa7b9559d0f21034a5d5ec1b55840c9348b9



--------------------------------

[ Upstream commit 3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c ]

The nvmem interface supports variable buffer sizes, while the regmap
interface operates with fixed-size storage. If an nvmem client uses a
buffer size less than 4 bytes, regmap_read will write out of bounds
as it expects the buffer to point at an unsigned int.

Fix this by using an intermediary unsigned int to hold the value.

Fixes: fadfd092 ("rtc: pcf85063: add nvram support")
Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0ee0f046@pengutronix.de


Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Liao Chen <liaochen4@huawei.com>

parent cc10030e

drivers/rtc/rtc-pcf85063.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -322,7 +322,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops = {
		static int pcf85063_nvmem_read(void *priv, unsigned int offset,
		void *val, size_t bytes)
		{
		return regmap_read(priv, PCF85063_REG_RAM, val);
		unsigned int tmp;
		int ret;

		ret = regmap_read(priv, PCF85063_REG_RAM, &tmp);
		if (ret < 0)
		return ret;

		(u8 )val = tmp;

		return 0;
		}

		static int pcf85063_nvmem_write(void *priv, unsigned int offset,