From 2cc0b1a2169b0f4af83cc5a52a1693c8ab2e2f1d Mon Sep 17 00:00:00 2001 From: Nicolas Pitre Date: Mon, 1 Apr 2024 23:25:39 -0400 Subject: [PATCH] thermal/drivers/mediatek/lvts_thermal: Guard against efuse data buffer overflow We don't want to silently fetch garbage past the actual buffer. Signed-off-by: Nicolas Pitre Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20240402032729.2736685-6-nico@fluxnic.net --- drivers/thermal/mediatek/lvts_thermal.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/thermal/mediatek/lvts_thermal.c b/drivers/thermal/mediatek/lvts_thermal.c index 9e6ed8bf6d9aa..146799462338b 100644 --- a/drivers/thermal/mediatek/lvts_thermal.c +++ b/drivers/thermal/mediatek/lvts_thermal.c @@ -672,7 +672,8 @@ static int lvts_sensor_init(struct device *dev, struct lvts_ctrl *lvts_ctrl, */ static int lvts_calibration_init(struct device *dev, struct lvts_ctrl *lvts_ctrl, const struct lvts_ctrl_data *lvts_ctrl_data, - u8 *efuse_calibration) + u8 *efuse_calibration, + size_t calib_len) { int i; @@ -680,6 +681,11 @@ static int lvts_calibration_init(struct device *dev, struct lvts_ctrl *lvts_ctrl const struct lvts_sensor_data *sensor = &lvts_ctrl_data->lvts_sensor[i]; + if (sensor->cal_offsets[0] >= calib_len || + sensor->cal_offsets[1] >= calib_len || + sensor->cal_offsets[2] >= calib_len) + return -EINVAL; + lvts_ctrl->calibration[i] = (efuse_calibration[sensor->cal_offsets[0]] << 0) + (efuse_calibration[sensor->cal_offsets[1]] << 8) + @@ -791,7 +797,8 @@ static int lvts_ctrl_init(struct device *dev, struct lvts_domain *lvts_td, ret = lvts_calibration_init(dev, &lvts_ctrl[i], &lvts_data->lvts_ctrl[i], - lvts_td->calib); + lvts_td->calib, + lvts_td->calib_len); if (ret) return ret; -- 2.30.2