From nobody Fri Jun 19 07:49:39 2026 Received: from mail-wm1-f47.google.com (mail-wm1-f47.google.com [209.85.128.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E968C279903 for ; Sun, 26 Apr 2026 21:47:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777240080; cv=none; b=OSqYiRul+lt7hNsKizmYcO4dJ5hnUmyWctw8Ot5FDbzv/1PaF9Mw5JvfQDvOJtFa6r2SD8YrXylamqw5zh2jwN0Gh9f4QYZNl/krqbRwpZ2l7VrRxYAtOUFF2vH4J9kLy+7BnNvpZUhfPCF287nyMpSvdszPh8mmkpCtoHBRkyA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777240080; c=relaxed/simple; bh=bRpBkUi2fZEGvm35aCERZeH9TEX+Cnqi/MUtShZMwiU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=cpDAYxy4xkLwHUobrmC17vXALT0nEHAyIZOAjgccf3SCld8ZAc1Odh3MZzLzedn48MvN9wnKxeHD4yX4cjs/csSXHELfWWBOeZAInNz90dqwJClpnr3lq6epYyUr95KMTa9opWG4Ln6xxzUfkxjCQzIb/caDJpc/dTL5k7GVlgU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XHXxW0i5; arc=none smtp.client-ip=209.85.128.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XHXxW0i5" Received: by mail-wm1-f47.google.com with SMTP id 5b1f17b1804b1-4891c0620bcso64008805e9.1 for ; Sun, 26 Apr 2026 14:47:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777240075; x=1777844875; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=bMgKhzoQmNwDIwRBK8My1XvNCN3myDASwlpKQVBQUIk=; b=XHXxW0i5NM49YW3WFOEN+1npkI1Lf2x9cRuwx+NiAfYisls0TOtstyeRMpo4WiqGWa 16UzCr375eSKGHCMaKUd8ylgRqTAYuS+9GkEGYw5PWxml42ld0Y+BhvyrsFM0Vxi3U+x pfa1UO8WjaJmcwAqN6RIMZRC9k6nXkmZ5YSMYdGZV1xgEZ0YSJDOXiWNb146irWJWjHQ w4uUFKbFc1LjyZx/XP1IgRdCbjS6m7ecjUB+r0ISwFhNnnAQaayFrEfeQqR8/Lx+Yi1K eUdvPeRIL1K0NKBpXe14dbbbkOtY5YbM8EjbPQ9dGFC+L0zKFSIReHC2IQlDDuUa0/YZ /Jeg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777240075; x=1777844875; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=bMgKhzoQmNwDIwRBK8My1XvNCN3myDASwlpKQVBQUIk=; b=J/mjQQDY4kAE0b2F/oOrtWmyrRxI/VFd5Kox633z4ZGmfjZzk+WdyaSURJuK11DGwy /slngOB+S87GDGnobW5Ic7imLMDyIgbzBOFOZ9xLSgbeZQyptRY2SGMKZaOW5OtyjhzG 9p3gS/cB2IxZbNwbLSV5WmI2siV0GAsksDTJtts4TpbOqz/L9uyESOJIWqFCQRH24XEr Jsyn8ONqdP9hCTfP4EfzPwOceFkWwMGUhoTIRJedxmhfxV7hR4KogWX9V0hNAN6e+adm 9fDCcHXJ4gHc6ZVwxzX3/FmIQ0wyO12pl6RIg65K4Y3bNuC7YwPjOYJeEcmFXGLTcw49 t3FA== X-Forwarded-Encrypted: i=1; AFNElJ+UXXiJOpcJbePU6Ydsb7SlxoyToeyDt7135uxgk1yOshFcovM0wfm7axZNAexYiksLFszsJYc8tr9u3l4=@vger.kernel.org X-Gm-Message-State: AOJu0YyVbO91+uqX6LW600YV0gPqVdwx096dmClHgLmxdv4x7TNzXN6b 9F4YdGoLK3SQXmZCeBhxvIacl6QXVNEZ+tRZhkuXmxDBeAwguSUglvrC X-Gm-Gg: AeBDiesUcxWl0/hxvz6aTZpnjERjtqDKIAFw2ZRb7iF7Jx4aNvri8nHaZeiTUg9euPi 9f14yxXUU2+1t6b3XDdRzjm0KrYIRDDkbw/jTAZ9BrXwx7BtMofOn8K6jQhs5EZCzqJNoZGd/ex eR4FivkYd7BG3oM69GJCQC3Mtqg5Si3fuykGcMSOJMVYUHxUlL6uzjc+cAgopqyDyD+dSAWYQTP OGl/PkLg8nuBh7WTwAZ5dsOx4NoS2cpAuyc4Uq45lUked5miE0JixVX4qPRY8yynE/Wc4u7UUZt 6htklTjpBXwKe8Wn/S63/eVJ7AVcDjHx5AtfrEGnRa1uPS77aKHyMv2c8uJTtSzvI2s7urVWTB6 2YcUpu8+uONPc8PL51Az4p9c9jThx/WzaqsRnWVQf8xrzzGBmwHanOidHKn2A3gw5RewIJM68R3 8QrMJ+DRxhjv7D32oqFyHfilyfKEn+wkj6Q0HAxs8JNQMtF6yXcg8d1Gw6ZDM1BmNV1RNO X-Received: by 2002:a05:600c:8b8c:b0:489:1d74:56d with SMTP id 5b1f17b1804b1-4891d7406famr475297685e9.29.1777240075254; Sun, 26 Apr 2026 14:47:55 -0700 (PDT) Received: from nixos.numericable.fr (38.42.3.89.rev.sfr.net. [89.3.42.38]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-4412e36ff8bsm27056244f8f.26.2026.04.26.14.47.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Apr 2026 14:47:53 -0700 (PDT) From: Titouan Ameline de Cadeville To: tzungbi@kernel.org Cc: briannorris@chromium.org, jwerner@chromium.org, chrome-platform@lists.linux.dev, linux-kernel@vger.kernel.org, Titouan Ameline de Cadeville Subject: [PATCH] firmware: google: add bounds checks in coreboot_table_populate() Date: Sun, 26 Apr 2026 23:47:39 +0200 Message-ID: <20260426214739.117131-1-titouan.ameline@gmail.com> X-Mailer: git-send-email 2.44.2 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" coreboot_table_populate() iterates over firmware-provided table entries with no validation that the entries stay within the mapped memory region. A corrupt table with a large entry->size advances ptr_entry past the mapped region, causing an out-of-bounds read on the next iteration. Add a check before dereferencing ptr_entry to ensure the entry header is readable, and a second check after reading entry->size to ensure the full entry stays within the mapped region. Pass len from coreboot_table_probe() into coreboot_table_populate() to make the mapped region size available for validation. Signed-off-by: Titouan Ameline de Cadeville Reviewed-by: Julius Werner --- drivers/firmware/google/coreboot_table.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/firmware/google/coreboot_table.c b/drivers/firmware/go= ogle/coreboot_table.c index c769631ea15d..233939e548b4 100644 --- a/drivers/firmware/google/coreboot_table.c +++ b/drivers/firmware/google/coreboot_table.c @@ -112,16 +112,20 @@ void coreboot_driver_unregister(struct coreboot_drive= r *driver) } EXPORT_SYMBOL(coreboot_driver_unregister); =20 -static int coreboot_table_populate(struct device *dev, void *ptr) +static int coreboot_table_populate(struct device *dev, void *ptr, resource= _size_t len) { int i, ret; void *ptr_entry; struct coreboot_device *device; struct coreboot_table_entry *entry; struct coreboot_table_header *header =3D ptr; + void *ptr_end; =20 + ptr_end =3D ptr + len; ptr_entry =3D ptr + header->header_bytes; for (i =3D 0; i < header->table_entries; i++) { + if (ptr_entry + sizeof(*entry) > ptr_end) + return -EINVAL; entry =3D ptr_entry; =20 if (entry->size < sizeof(*entry)) { @@ -129,6 +133,9 @@ static int coreboot_table_populate(struct device *dev, = void *ptr) return -EINVAL; } =20 + if (ptr_entry + entry->size > ptr_end) + return -EINVAL; + device =3D kzalloc(sizeof(device->dev) + entry->size, GFP_KERNEL); if (!device) return -ENOMEM; @@ -194,7 +201,7 @@ static int coreboot_table_probe(struct platform_device = *pdev) if (!ptr) return -ENOMEM; =20 - ret =3D coreboot_table_populate(dev, ptr); + ret =3D coreboot_table_populate(dev, ptr, len); =20 memunmap(ptr); =20 --=20 2.44.2