From: Joonwon Kang <joonwonkang@google.com> mainline inclusion from mainline-v7.0-rc1 commit fcd7f96c783626c07ee3ed75fa3739a8a2052310 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14824 CVE: CVE-2026-43281 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Although it is guided that `#mbox-cells` must be at least 1, there are many instances of `#mbox-cells = <0>;` in the device tree. If that is the case and the corresponding mailbox controller does not provide `fw_xlate` and of_xlate` function pointers, `fw_mbox_index_xlate()` will be used by default and out-of-bounds accesses could occur due to lack of bounds check in that function. Cc: stable@vger.kernel.org Signed-off-by: Joonwon Kang <joonwonkang@google.com> Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com> Conflicts: drivers/mailbox/mailbox.c [Commit ba879dfc0574 ("mailbox: Allow controller specific mapping using fwnode") was not merged. Context conflicts.] Signed-off-by: Yi Yang <yiyang13@huawei.com> --- drivers/mailbox/mailbox.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/drivers/mailbox/mailbox.c b/drivers/mailbox/mailbox.c index adf36c05fa43..19eefdf99058 100644 --- a/drivers/mailbox/mailbox.c +++ b/drivers/mailbox/mailbox.c @@ -507,12 +507,10 @@ static struct mbox_chan * of_mbox_index_xlate(struct mbox_controller *mbox, const struct of_phandle_args *sp) { - int ind = sp->args[0]; - - if (ind >= mbox->num_chans) + if (sp->args_count < 1 || sp->args[0] >= mbox->num_chans) return ERR_PTR(-EINVAL); - return &mbox->chans[ind]; + return &mbox->chans[sp->args[0]]; } /** -- 2.25.1