From fc30b6e71dbdb451337a9bf921f8e785ea7b722a Mon Sep 17 00:00:00 2001 From: Oleksij Rempel Date: Thu, 13 Mar 2025 11:20:25 +0000 Subject: [PATCH] rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read stable inclusion from stable-v6.6.78 commit 9adefa7b9559d0f21034a5d5ec1b55840c9348b9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBREBH CVE: CVE-2024-58069 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=9adefa7b9559d0f21034a5d5ec1b55840c9348b9 -------------------------------- [ Upstream commit 3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c ] The nvmem interface supports variable buffer sizes, while the regmap interface operates with fixed-size storage. If an nvmem client uses a buffer size less than 4 bytes, regmap_read will write out of bounds as it expects the buffer to point at an unsigned int. Fix this by using an intermediary unsigned int to hold the value. Fixes: fadfd092ee91 ("rtc: pcf85063: add nvram support") Signed-off-by: Oleksij Rempel Signed-off-by: Ahmad Fatoum Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0ee0f046@pengutronix.de Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin Signed-off-by: Liao Chen --- drivers/rtc/rtc-pcf85063.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c index fdbc07f14036..905986c61655 100644 --- a/drivers/rtc/rtc-pcf85063.c +++ b/drivers/rtc/rtc-pcf85063.c @@ -322,7 +322,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops = { static int pcf85063_nvmem_read(void *priv, unsigned int offset, void *val, size_t bytes) { - return regmap_read(priv, PCF85063_REG_RAM, val); + unsigned int tmp; + int ret; + + ret = regmap_read(priv, PCF85063_REG_RAM, &tmp); + if (ret < 0) + return ret; + + *(u8 *)val = tmp; + + return 0; } static int pcf85063_nvmem_write(void *priv, unsigned int offset, -- Gitee