Merge: CVE-2024-58007: soc: qcom: socinfo: Avoid out of bounds read of serial number

caringi · caringi · commit 287474102f2b · 2025-04-04T12:34:52.000-03:00
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/6662 ## Summary of Changes Backport `22cf4fae6660` ("soc: qcom: socinfo: Avoid out of bounds read of serial number") to fix CVE-2024-58007, as well as a couple of additional commits to prevent conflicts. ## Approved Development Ticket(s) JIRA: https://issues.redhat.com/browse/RHEL-85597 CVE: CVE-2024-58007 Signed-off-by: Jared Kangas <jkangas@redhat.com> Approved-by: Eric Chanudet <echanude@redhat.com> Approved-by: Radu Rendec <rrendec@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: Augusto Caringi <acaringi@redhat.com>
diff --git a/drivers/soc/qcom/socinfo.c b/drivers/soc/qcom/socinfo.c
@@ -614,10 +614,16 @@ static int qcom_socinfo_probe(struct platform_device *pdev)
 	qs->attr.revision = devm_kasprintf(&pdev->dev, GFP_KERNEL, "%u.%u",
 					   SOCINFO_MAJOR(le32_to_cpu(info->ver)),
 					   SOCINFO_MINOR(le32_to_cpu(info->ver)));
-	if (offsetof(struct socinfo, serial_num) <= item_size)
+	if (!qs->attr.soc_id || !qs->attr.revision)
+		return -ENOMEM;
+
+	if (offsetofend(struct socinfo, serial_num) <= item_size) {
 		qs->attr.serial_number = devm_kasprintf(&pdev->dev, GFP_KERNEL,
 							"%u",
 							le32_to_cpu(info->serial_num));
+		if (!qs->attr.serial_number)
+			return -ENOMEM;
+	}
 
 	qs->soc_dev = soc_device_register(&qs->attr);
 	if (IS_ERR(qs->soc_dev))
