thermal/drivers/mediatek/lvts_thermal: Guard against efuse data buffer overflow

We don't want to silently fetch garbage past the actual buffer.

Signed-off-by: Nicolas Pitre <npitre@baylibre.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20240402032729.2736685-6-nico@fluxnic.net

diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c
index 9e6ed8bf6d9aacc77dbe033bea87093269a78560..146799462338bc20d528830fd2fe4e67d4cbff2a 100644 (file)
--- a/drivers/thermal/mediatek/lvts_thermal.c
+++ b/drivers/thermal/mediatek/lvts_thermal.c
@@ -672,7 +672,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl,
  */
 static int lvts_calibration_init(struct device *dev, struct lvts_ctrl *lvts_ctrl,
                                        const struct lvts_ctrl_data *lvts_ctrl_data,
-                                       u8 *efuse_calibration)
+                                       u8 *efuse_calibration,
+                                       size_t calib_len)
 {
        int i;
 
@@ -680,6 +681,11 @@ static int lvts_calibration_init(struct device *dev, struct lvts_ctrl *lvts_ctrl
                const struct lvts_sensor_data *sensor =
                                        &lvts_ctrl_data->lvts_sensor[i];
 
+               if (sensor->cal_offsets[0] >= calib_len ||
+                   sensor->cal_offsets[1] >= calib_len ||
+                   sensor->cal_offsets[2] >= calib_len)
+                       return -EINVAL;
+
                lvts_ctrl->calibration[i] =
                        (efuse_calibration[sensor->cal_offsets[0]] << 0) +
                        (efuse_calibration[sensor->cal_offsets[1]] << 8) +
@@ -791,7 +797,8 @@ static int lvts_ctrl_init(struct device *dev, struct lvts_domain *lvts_td,
 
                ret = lvts_calibration_init(dev, &lvts_ctrl[i],
                                            &lvts_data->lvts_ctrl[i],
-                                           lvts_td->calib);
+                                           lvts_td->calib,
+                                           lvts_td->calib_len);
                if (ret)
                        return ret;