[PATCH v2 01/20] rockchip: avoid out-of-bounds when computing cpuid

Dragan Simic dsimic at manjaro.org
Fri Feb 9 18:55:05 CET 2024


On 2024-02-09 10:49, Quentin Schulz wrote:
> From: Quentin Schulz <quentin.schulz at theobroma-systems.com>
> 
> The expected length of the cpuid, as passed with cpuid_length,
> determines the size of cpuid_str string. Therefore, care should be 
> taken
> to make sure nothing is accessing data out-of-bounds.
> 
> Instead of using hardcoded values, derive them from cpuid_length.
> 
> Cc: Quentin Schulz <foss+uboot at 0leil.net>
> Reviewed-by: Kever Yang <kever.yang at rock-chips.com>
> Signed-off-by: Quentin Schulz <quentin.schulz at theobroma-systems.com>

Looking good to me.

Reviewed-by: Dragan Simic <dsimic at manjaro.org>

> ---
>  arch/arm/mach-rockchip/misc.c | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/arch/arm/mach-rockchip/misc.c 
> b/arch/arm/mach-rockchip/misc.c
> index 7d03f0c2b67..15397cff009 100644
> --- a/arch/arm/mach-rockchip/misc.c
> +++ b/arch/arm/mach-rockchip/misc.c
> @@ -102,7 +102,7 @@ int rockchip_cpuid_set(const u8 *cpuid, const u32
> cpuid_length)
>  	int i;
> 
>  	memset(cpuid_str, 0, sizeof(cpuid_str));
> -	for (i = 0; i < 16; i++)
> +	for (i = 0; i < cpuid_length; i++)
>  		sprintf(&cpuid_str[i * 2], "%02x", cpuid[i]);
> 
>  	debug("cpuid: %s\n", cpuid_str);
> @@ -111,13 +111,13 @@ int rockchip_cpuid_set(const u8 *cpuid, const
> u32 cpuid_length)
>  	 * Mix the cpuid bytes using the same rules as in
>  	 *   ${linux}/drivers/soc/rockchip/rockchip-cpuinfo.c
>  	 */
> -	for (i = 0; i < 8; i++) {
> +	for (i = 0; i < cpuid_length / 2; i++) {
>  		low[i] = cpuid[1 + (i << 1)];
>  		high[i] = cpuid[i << 1];
>  	}
> 
> -	serialno = crc32_no_comp(0, low, 8);
> -	serialno |= (u64)crc32_no_comp(serialno, high, 8) << 32;
> +	serialno = crc32_no_comp(0, low, cpuid_length / 2);
> +	serialno |= (u64)crc32_no_comp(serialno, high, cpuid_length / 2) << 
> 32;
>  	snprintf(serialno_str, sizeof(serialno_str), "%016llx", serialno);
> 
>  	oldid = env_get("cpuid#");


More information about the U-Boot mailing list