nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties

void0red · Paolo Abeni · commit 11f180a5d62a · 2023-02-28T11:48:28.000+01:00
devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause out-of-bounds write in device_property_read_u8_array later. Fixes: a06347c ("NFC: Add Intel Fields Peak NFC solution driver") Signed-off-by: Kang Chen <void0red@gmail.com> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230227093037.907654-1-void0red@gmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com>
diff --git a/drivers/nfc/fdp/i2c.c b/drivers/nfc/fdp/i2c.c
@@ -247,6 +247,9 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,
 					   len, sizeof(**fw_vsc_cfg),
 					   GFP_KERNEL);
 
+		if (!*fw_vsc_cfg)
+			goto alloc_err;
+
 		r = device_property_read_u8_array(dev, FDP_DP_FW_VSC_CFG_NAME,
 						  *fw_vsc_cfg, len);
 
@@ -260,6 +263,7 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,
 		*fw_vsc_cfg = NULL;
 	}
 
+alloc_err:
 	dev_dbg(dev, "Clock type: %d, clock frequency: %d, VSC: %s",
 		*clock_type, *clock_freq, *fw_vsc_cfg != NULL ? "yes" : "no");
 }

Original file line number	Diff line number	Diff line change
`@@ -247,6 +247,9 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,`
`247`	`247`	`len, sizeof(**fw_vsc_cfg),`
`248`	`248`	`GFP_KERNEL);`
`249`	`249`
	`250`	`+ if (!*fw_vsc_cfg)`
	`251`	`+ goto alloc_err;`
	`252`	`+`
`250`	`253`	`r = device_property_read_u8_array(dev, FDP_DP_FW_VSC_CFG_NAME,`
`251`	`254`	`*fw_vsc_cfg, len);`
`252`	`255`
`@@ -260,6 +263,7 @@ static void fdp_nci_i2c_read_device_properties(struct device *dev,`
`260`	`263`	`*fw_vsc_cfg = NULL;`
`261`	`264`	`}`
`262`	`265`
	`266`	`+alloc_err:`
`263`	`267`	`dev_dbg(dev, "Clock type: %d, clock frequency: %d, VSC: %s",`
`264`	`268`	`clock_type, clock_freq, *fw_vsc_cfg != NULL ? "yes" : "no");`
`265`	`269`	`}`