Unverified Commit c500a866 authored Sep 03, 2024 by Alexandra Diupina Committed by Krzysztof Wilczyński Sep 06, 2024

PCI: kirin: Fix buffer overflow in kirin_pcie_parse_port()

Within kirin_pcie_parse_port(), the pcie->num_slots is compared to
pcie->gpio_id_reset size (MAX_PCI_SLOTS) which is correct and would lead
to an overflow.

Thus, fix condition to pcie->num_slots + 1 >= MAX_PCI_SLOTS and move
pcie->num_slots increment below the if-statement to avoid out-of-bounds
array access.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: b22dbbb2 ("PCI: kirin: Support PERST# GPIOs for HiKey970 external PEX 8606 bridge")
Link: https://lore.kernel.org/linux-pci/20240903115823.30647-1-adiupina@astralinux.ru


Signed-off-by: Alexandra Diupina <adiupina@astralinux.ru>
[kwilczynski: commit log]
Signed-off-by: Krzysztof Wilczyński <kwilczynski@kernel.org>
Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

parent 8400291e

drivers/pci/controller/dwc/pcie-kirin.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -420,11 +420,11 @@ static int kirin_pcie_parse_port(struct kirin_pcie *pcie,
		"unable to get a valid reset gpio\n");
		}

		pcie->num_slots++;
		if (pcie->num_slots > MAX_PCI_SLOTS) {
		if (pcie->num_slots + 1 >= MAX_PCI_SLOTS) {
		dev_err(dev, "Too many PCI slots!\n");
		return -EINVAL;
		}
		pcie->num_slots++;

		ret = of_pci_get_devfn(child);
		if (ret < 0) {