Thread (2 messages) 2 messages, 1 author, 1d ago
DORMANTno replies

[PATCH 2/2] powerpc/kaslr_booke: Fix reserved-memory reg property length check

From: Thorsten Blum <thorsten.blum@linux.dev>
Date: 2026-07-02 12:06:43
Also in: lkml, stable
Subsystem: linux for powerpc (32-bit and 64-bit), the rest · Maintainers: Madhavan Srinivasan, Michael Ellerman, Linus Torvalds

In overlaps_reserved_region(), fdt_getprop() returns the reg property
length in bytes, which the loop condition compares against a cell count.
Since each cell is 4 bytes, scale the count to bytes before comparing it
with len to avoid reading past the end of a truncated reg property.

Fixes: 6a38ea1d7b94 ("powerpc/fsl_booke/32: randomize the kernel image offset")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
 arch/powerpc/mm/nohash/kaslr_booke.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/mm/nohash/kaslr_booke.c b/arch/powerpc/mm/nohash/kaslr_booke.c
index 3e5e67c76bda..82106a9d9d4c 100644
--- a/arch/powerpc/mm/nohash/kaslr_booke.c
+++ b/arch/powerpc/mm/nohash/kaslr_booke.c
@@ -123,8 +123,8 @@ static __init bool overlaps_reserved_region(const void *fdt, u32 start,
 
 		len = 0;
 		reg = fdt_getprop(fdt, subnode, "reg", &len);
-		while (len >= (regions.reserved_mem_addr_cells +
-			       regions.reserved_mem_size_cells)) {
+		while (len >= 4 * (regions.reserved_mem_addr_cells +
+				   regions.reserved_mem_size_cells)) {
 			base = fdt32_to_cpu(reg[0]);
 			if (regions.reserved_mem_addr_cells == 2)
 				base = (base << 32) | fdt32_to_cpu(reg[1]);
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help