diff options
author | Samuel Holland <samuel@sholland.org> | 2022-05-09 00:29:32 -0500 |
---|---|---|
committer | Andre Przywara <andre.przywara@arm.com> | 2022-07-18 09:37:49 +0100 |
commit | 6827aba3482d214afea3b3bc4cb2f5bddb606929 (patch) | |
tree | c8e87a3d76f1f69ef2d1ca93d2106fbc402ca22c | |
parent | 49b2b0a2b6782609a9977095d9c80391de463044 (diff) | |
download | u-boot-6827aba3482d214afea3b3bc4cb2f5bddb606929.zip u-boot-6827aba3482d214afea3b3bc4cb2f5bddb606929.tar.gz u-boot-6827aba3482d214afea3b3bc4cb2f5bddb606929.tar.bz2 |
clk: sunxi: Prevent out-of-bounds gate array access
Because the gate arrays are not given explicit sizes, the arrays are
only as large as the highest-numbered gate described in the driver.
However, only a subset of the CCU clocks are needed by U-Boot. So there
are valid clock specifiers with indexes greater than the size of the
arrays. Referencing any of these clocks causes out-of-bounds access.
Fix this by checking the identifier against the size of the array.
Fixes: 0d47bc705651 ("clk: Add Allwinner A64 CLK driver")
Signed-off-by: Samuel Holland <samuel@sholland.org>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Andre Przywara <andre.przywara@arm.com>
-rw-r--r-- | drivers/clk/sunxi/clk_sunxi.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/drivers/clk/sunxi/clk_sunxi.c b/drivers/clk/sunxi/clk_sunxi.c index 9a21367..62e7738 100644 --- a/drivers/clk/sunxi/clk_sunxi.c +++ b/drivers/clk/sunxi/clk_sunxi.c @@ -18,6 +18,9 @@ static const struct ccu_clk_gate *priv_to_gate(struct ccu_priv *priv, unsigned long id) { + if (id >= priv->desc->num_gates) + return NULL; + return &priv->desc->gates[id]; } @@ -27,10 +30,10 @@ static int sunxi_set_gate(struct clk *clk, bool on) const struct ccu_clk_gate *gate = priv_to_gate(priv, clk->id); u32 reg; - if ((gate->flags & CCU_CLK_F_DUMMY_GATE)) + if (gate && (gate->flags & CCU_CLK_F_DUMMY_GATE)) return 0; - if (!(gate->flags & CCU_CLK_F_IS_VALID)) { + if (!gate || !(gate->flags & CCU_CLK_F_IS_VALID)) { printf("%s: (CLK#%ld) unhandled\n", __func__, clk->id); return 0; } |