coreboot_table_populate() iterates over firmware-provided table entries
with no validation that the entries stay within the mapped memory region.
A corrupt table with a large entry->size advances ptr_entry past the
mapped region, causing an out-of-bounds read on the next iteration.

Add a check before dereferencing ptr_entry to ensure the entry header
is readable, and a second check after reading entry->size to ensure the
full entry stays within the mapped region.

Pass len from coreboot_table_probe() into coreboot_table_populate() to
make the mapped region size available for validation.

Signed-off-by: Titouan Ameline de Cadeville <titouan.ameline@gmail.com>
---
 drivers/firmware/google/coreboot_table.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/google/coreboot_table.c
index c769631ea15d..233939e548b4 100644
--- a/drivers/firmware/google/coreboot_table.c
+++ b/drivers/firmware/google/coreboot_table.c
@@ -112,16 +112,20 @@ void coreboot_driver_unregister(struct coreboot_driver *driver)
 }
 EXPORT_SYMBOL(coreboot_driver_unregister);
 
-static int coreboot_table_populate(struct device *dev, void *ptr)
+static int coreboot_table_populate(struct device *dev, void *ptr, resource_size_t len)
 {
 	int i, ret;
 	void *ptr_entry;
 	struct coreboot_device *device;
 	struct coreboot_table_entry *entry;
 	struct coreboot_table_header *header = ptr;
+	void *ptr_end;
 
+	ptr_end = ptr + len;
 	ptr_entry = ptr + header->header_bytes;
 	for (i = 0; i < header->table_entries; i++) {
+		if (ptr_entry + sizeof(*entry) > ptr_end)
+			return -EINVAL;
 		entry = ptr_entry;
 
 		if (entry->size < sizeof(*entry)) {
@@ -129,6 +133,9 @@ static int coreboot_table_populate(struct device *dev, void *ptr)
 			return -EINVAL;
 		}
 
+		if (ptr_entry + entry->size > ptr_end)
+			return -EINVAL;
+
 		device = kzalloc(sizeof(device->dev) + entry->size, GFP_KERNEL);
 		if (!device)
 			return -ENOMEM;
@@ -194,7 +201,7 @@ static int coreboot_table_probe(struct platform_device *pdev)
 	if (!ptr)
 		return -ENOMEM;
 
-	ret = coreboot_table_populate(dev, ptr);
+	ret = coreboot_table_populate(dev, ptr, len);
 
 	memunmap(ptr);
 
-- 
2.44.2

On Sun, Apr 26, 2026 at 11:47:39PM +0200, Titouan Ameline de Cadeville wrote:
> coreboot_table_populate() iterates over firmware-provided table entries
> with no validation that the entries stay within the mapped memory region.
> A corrupt table with a large entry->size advances ptr_entry past the
> mapped region, causing an out-of-bounds read on the next iteration.
> 
> Add a check before dereferencing ptr_entry to ensure the entry header
> is readable, and a second check after reading entry->size to ensure the
> full entry stays within the mapped region.
> 
> Pass len from coreboot_table_probe() into coreboot_table_populate() to
> make the mapped region size available for validation.

To be fair, the `len` is also from the firmware.  If it's corrupted as well,
the out-of-bounds read could still happen.

> 
> [...]

Applied to

    https://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux.git for-firmware-next

[1/1] firmware: google: add bounds checks in coreboot_table_populate()
      commit: 7b1a1af4556a4f95ef273e91435fe804cbfcd223

Thanks!

Reviewed-by: Julius Werner <jwerner@chromium.org>

On Mon, Apr 27, 2026 at 11:55:51AM -0700, Julius Werner wrote:
> Reviewed-by: Julius Werner <jwerner@chromium.org>

Julius: Please don't top-posting in the upstream mailing list [1].

[1] https://www.kernel.org/doc/html/latest/process/submitting-patches.html#use-trimmed-interleaved-replies-in-email-discussions