[PATCH 2/7] clk: sunxi: Prevent out-of-bounds gate array access

[Andre Przywara]

On Mon,  9 May 2022 00:29:32 -0500
Samuel Holland <samuel at sholland.org> wrote:

> Because the gate arrays are not given explicit sizes, the arrays are
> only as large as the highest-numbered gate described in the driver.
> However, only a subset of the CCU clocks are needed by U-Boot. So there
> are valid clock specifiers with indexes greater than the size of the
> arrays. Referencing any of these clocks causes out-of-bounds access.
> Fix this by checking the identifier against the size of the array.
> 
> Fixes: 0d47bc705651 ("clk: Add Allwinner A64 CLK driver")
> Signed-off-by: Samuel Holland <samuel at sholland.org>

That's a good addition! Amended the patch to cover CCU_CLK_F_DUMMY_GATE.

Reviewed-by: Andre Przywara <andre.przywara at arm.com>

Cheers,
Andre

> ---
> 
>  drivers/clk/sunxi/clk_sunxi.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/clk/sunxi/clk_sunxi.c b/drivers/clk/sunxi/clk_sunxi.c
> index 9673b58a49..3108e5b66d 100644
> --- a/drivers/clk/sunxi/clk_sunxi.c
> +++ b/drivers/clk/sunxi/clk_sunxi.c
> @@ -18,6 +18,9 @@
>  static const struct ccu_clk_gate *priv_to_gate(struct ccu_priv *priv,
>  					       unsigned long id)
>  {
> +	if (id >= priv->desc->num_gates)
> +		return NULL;
> +
>  	return &priv->desc->gates[id];
>  }
>  
> @@ -27,7 +30,7 @@ static int sunxi_set_gate(struct clk *clk, bool on)
>  	const struct ccu_clk_gate *gate = priv_to_gate(priv, clk->id);
>  	u32 reg;
>  
> -	if (!(gate->flags & CCU_CLK_F_IS_VALID)) {
> +	if (!gate || !(gate->flags & CCU_CLK_F_IS_VALID)) {
>  		printf("%s: (CLK#%ld) unhandled\n", __func__, clk->id);
>  		return 0;
>  	}