In overlaps_reserved_region(), fdt_getprop() returns the reg property
length in bytes, which the loop condition compares against a cell count.
Since each cell is 4 bytes, scale the count to bytes before comparing it
with len to avoid reading past the end of a truncated reg property.
Fixes: 6a38ea1d7b94 ("powerpc/fsl_booke/32: randomize the kernel image offset")
Cc: stable@vger.kernel.org
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
---
arch/powerpc/mm/nohash/kaslr_booke.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/powerpc/mm/nohash/kaslr_booke.c b/arch/powerpc/mm/nohash/kaslr_booke.c
index 3e5e67c76bda..82106a9d9d4c 100644
--- a/arch/powerpc/mm/nohash/kaslr_booke.c
+++ b/arch/powerpc/mm/nohash/kaslr_booke.c
@@ -123,8 +123,8 @@ static __init bool overlaps_reserved_region(const void *fdt, u32 start,
len = 0;
reg = fdt_getprop(fdt, subnode, "reg", &len);
- while (len >= (regions.reserved_mem_addr_cells +
- regions.reserved_mem_size_cells)) {
+ while (len >= 4 * (regions.reserved_mem_addr_cells +
+ regions.reserved_mem_size_cells)) {
base = fdt32_to_cpu(reg[0]);
if (regions.reserved_mem_addr_cells == 2)
base = (base << 32) | fdt32_to_cpu(reg[1]);