From 2871dee83336cdafc38140dc6edd517eb5cac4b7 Mon Sep 17 00:00:00 2001 From: Quentin Schulz Date: Mon, 11 Mar 2024 13:01:44 +0100 Subject: [PATCH] rockchip: avoid out-of-bounds when computing cpuid The expected length of the cpuid, as passed with cpuid_length, determines the size of cpuid_str string. Therefore, care should be taken to make sure nothing is accessing data out-of-bounds. Instead of using hardcoded values, derive them from cpuid_length. Cc: Quentin Schulz Reviewed-by: Kever Yang Reviewed-by: Dragan Simic Signed-off-by: Quentin Schulz --- arch/arm/mach-rockchip/misc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/arch/arm/mach-rockchip/misc.c b/arch/arm/mach-rockchip/misc.c index 7d03f0c2b6..15397cff00 100644 --- a/arch/arm/mach-rockchip/misc.c +++ b/arch/arm/mach-rockchip/misc.c @@ -102,7 +102,7 @@ int rockchip_cpuid_set(const u8 *cpuid, const u32 cpuid_length) int i; memset(cpuid_str, 0, sizeof(cpuid_str)); - for (i = 0; i < 16; i++) + for (i = 0; i < cpuid_length; i++) sprintf(&cpuid_str[i * 2], "%02x", cpuid[i]); debug("cpuid: %s\n", cpuid_str); @@ -111,13 +111,13 @@ int rockchip_cpuid_set(const u8 *cpuid, const u32 cpuid_length) * Mix the cpuid bytes using the same rules as in * ${linux}/drivers/soc/rockchip/rockchip-cpuinfo.c */ - for (i = 0; i < 8; i++) { + for (i = 0; i < cpuid_length / 2; i++) { low[i] = cpuid[1 + (i << 1)]; high[i] = cpuid[i << 1]; } - serialno = crc32_no_comp(0, low, 8); - serialno |= (u64)crc32_no_comp(serialno, high, 8) << 32; + serialno = crc32_no_comp(0, low, cpuid_length / 2); + serialno |= (u64)crc32_no_comp(serialno, high, cpuid_length / 2) << 32; snprintf(serialno_str, sizeof(serialno_str), "%016llx", serialno); oldid = env_get("cpuid#"); -- 2.39.5