From: Oleksij Rempel <o.rempel@pengutronix.de> stable inclusion from stable-v6.6.78 commit 9adefa7b9559d0f21034a5d5ec1b55840c9348b9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBREBH CVE: CVE-2024-58069 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit 3ab8c5ed4f84fa20cd16794fe8dc31f633fbc70c ] The nvmem interface supports variable buffer sizes, while the regmap interface operates with fixed-size storage. If an nvmem client uses a buffer size less than 4 bytes, regmap_read will write out of bounds as it expects the buffer to point at an unsigned int. Fix this by using an intermediary unsigned int to hold the value. Fixes: fadfd092ee91 ("rtc: pcf85063: add nvram support") Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de> Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0e... Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Sasha Levin <sashal@kernel.org> Conflicts: drivers/rtc/rtc-pcf85063.c [lc: adjust context] Signed-off-by: Liao Chen <liaochen4@huawei.com> Signed-off-by: Liu Mingrui <liumingrui@huawei.com> Signed-off-by: Hongbo Li <lihongbo22@huawei.com> --- drivers/rtc/rtc-pcf85063.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/rtc/rtc-pcf85063.c b/drivers/rtc/rtc-pcf85063.c index 449204d84c61..dd3336cbb792 100644 --- a/drivers/rtc/rtc-pcf85063.c +++ b/drivers/rtc/rtc-pcf85063.c @@ -328,7 +328,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops_alarm = { static int pcf85063_nvmem_read(void *priv, unsigned int offset, void *val, size_t bytes) { - return regmap_read(priv, PCF85063_REG_RAM, val); + unsigned int tmp; + int ret; + + ret = regmap_read(priv, PCF85063_REG_RAM, &tmp); + if (ret < 0) + return ret; + + *(u8 *)val = tmp; + + return 0; } static int pcf85063_nvmem_write(void *priv, unsigned int offset, -- 2.34.1