diff options
author | Cristian Marussi <cristian.marussi@arm.com> | 2022-05-23 19:15:59 +0200 |
---|---|---|
committer | Sudeep Holla <sudeep.holla@arm.com> | 2022-06-06 16:46:35 +0200 |
commit | 122839b58a089ff7f231759e2c8f63790724cae2 (patch) | |
tree | fa3122fc3258c9c65f64df138cb6bb1227562843 | |
parent | Linux 5.19-rc1 (diff) | |
download | linux-122839b58a089ff7f231759e2c8f63790724cae2.tar.xz linux-122839b58a089ff7f231759e2c8f63790724cae2.zip |
firmware: arm_scmi: Relax base protocol sanity checks on the protocol list
Even though malformed replies from firmware must be treated carefully to
avoid memory corruption in the kernel, some out-of-spec SCMI replies can
be tolerated to avoid breaking existing deployed system, as long as they
won't cause memory issues.
Relax the sanity checks on the recieved protocol list in the base protocol
to avoid breaking one of the deployed platform whose firmware is not easily
upgradable currently.
Link: https://lore.kernel.org/r/20220523171559.472112-1-cristian.marussi@arm.com
Cc: Etienne Carriere <etienne.carriere@linaro.org>
Cc: Sudeep Holla <sudeep.holla@arm.com>
Reported-by: Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
Tested-By: Frank Wunderlich <frank-w@public-files.de>
Acked-by: Michael Riesch <michael.riesch@wolfvision.net>
Acked-by: Etienne Carriere <etienne.carriere@linaro.org>
Signed-off-by: Cristian Marussi <cristian.marussi@arm.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
-rw-r--r-- | drivers/firmware/arm_scmi/base.c | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/drivers/firmware/arm_scmi/base.c b/drivers/firmware/arm_scmi/base.c index 20fba7370f4e..d0ac96da1ddf 100644 --- a/drivers/firmware/arm_scmi/base.c +++ b/drivers/firmware/arm_scmi/base.c @@ -221,11 +221,17 @@ scmi_base_implementation_list_get(const struct scmi_protocol_handle *ph, calc_list_sz = (1 + (loop_num_ret - 1) / sizeof(u32)) * sizeof(u32); if (calc_list_sz != real_list_sz) { - dev_err(dev, - "Malformed reply - real_sz:%zd calc_sz:%u\n", - real_list_sz, calc_list_sz); - ret = -EPROTO; - break; + dev_warn(dev, + "Malformed reply - real_sz:%zd calc_sz:%u (loop_num_ret:%d)\n", + real_list_sz, calc_list_sz, loop_num_ret); + /* + * Bail out if the expected list size is bigger than the + * total payload size of the received reply. + */ + if (calc_list_sz > real_list_sz) { + ret = -EPROTO; + break; + } } for (loop = 0; loop < loop_num_ret; loop++) |