On Mon, Dec 09, 2024 at 09:25:02PM +0800, Zijun Hu wrote:
From: Zijun Hu quic_zijuhu@quicinc.com
of_irq_parse_one() may use uninitialized variable @addr_len as shown below:
// @addr_len is uninitialized int addr_len;
// This operation does not touch @addr_len if it fails. addr = of_get_property(device, "reg", &addr_len);
// Use uninitialized @addr_len if the operation fails. if (addr_len > sizeof(addr_buf)) addr_len = sizeof(addr_buf);
// Check the operation result here. if (addr) memcpy(addr_buf, addr, addr_len);
Fix by initializing @addr_len before the operation.
Fixes: b739dffa5d57 ("of/irq: Prevent device address out-of-bounds read in interrupt map walk") Cc: stable@vger.kernel.org Signed-off-by: Zijun Hu quic_zijuhu@quicinc.com
drivers/of/irq.c | 1 + 1 file changed, 1 insertion(+)
Applied, thanks.
Rob