In overlaps_reserved_region(), fdt_getprop() returns the reg property
length in bytes, which the loop condition compares against a cell count.
Since each cell is 4 bytes, scale the count to bytes before comparing it
with len to avoid reading past the end of a truncated reg property.

Fixes: 6a38ea1d7b94 ("powerpc/fsl_booke/32: randomize the kernel image offset")
Cc: [email protected]
Signed-off-by: Thorsten Blum <[email protected]>
---
 arch/powerpc/mm/nohash/kaslr_booke.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/mm/nohash/kaslr_booke.c 
b/arch/powerpc/mm/nohash/kaslr_booke.c
index 3e5e67c76bda..82106a9d9d4c 100644
--- a/arch/powerpc/mm/nohash/kaslr_booke.c
+++ b/arch/powerpc/mm/nohash/kaslr_booke.c
@@ -123,8 +123,8 @@ static __init bool overlaps_reserved_region(const void 
*fdt, u32 start,
 
                len = 0;
                reg = fdt_getprop(fdt, subnode, "reg", &len);
-               while (len >= (regions.reserved_mem_addr_cells +
-                              regions.reserved_mem_size_cells)) {
+               while (len >= 4 * (regions.reserved_mem_addr_cells +
+                                  regions.reserved_mem_size_cells)) {
                        base = fdt32_to_cpu(reg[0]);
                        if (regions.reserved_mem_addr_cells == 2)
                                base = (base << 32) | fdt32_to_cpu(reg[1]);

Reply via email to