[PATCH 1/2] of: reserved_mem: avoid stack buffer overflow in fdt_scan_reserved_mem()

Next message: Wandun Chen: "[PATCH 2/2] of: reserved_mem: add config to extend dynamic reserved memory regions"
Previous message: Vlastimil Babka (SUSE): "Re: [PATCH] mm/slab: improve kmem_cache_alloc_bulk"
In reply to: Wandun Chen: "[PATCH 0/2] of: reserved_mem: fix stack overflow and make dynamic reserved region configurable"
Next in thread: Wandun Chen: "[PATCH 2/2] of: reserved_mem: add config to extend dynamic reserved memory regions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Wandun Chen

Date: Thu Jun 04 2026 - 03:40:01 EST

From: Wandun Chen <chenwandun@xxxxxxxxxxx>

Sashiko found a potential stack buffer overflow in fdt_scan_reserved_mem()
due to missing bounds checking on dynamic_nodes_cnt [1].

Fix this by adding bounds check.

Link: https://sashiko.dev/#/patchset/20260604015332.3669384-1-chenwandun1%40gmail.com?part=1 [1]
Signed-off-by: Wandun Chen <chenwandun@xxxxxxxxxxx>
---
drivers/of/of_reserved_mem.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/of/of_reserved_mem.c b/drivers/of/of_reserved_mem.c
index ce1d5530ec0f..27dc98aa9bf9 100644
--- a/drivers/of/of_reserved_mem.c
+++ b/drivers/of/of_reserved_mem.c
@@ -346,6 +346,12 @@ int __init fdt_scan_reserved_mem(void)
err = __reserved_mem_reserve_reg(child, uname);
if (!err)
count++;
+
+ if (dynamic_nodes_cnt >= MAX_RESERVED_REGIONS) {
+ pr_err_once("Reserved memory: reached MAX_RESERVED_REGIONS(%d)\n",
+ MAX_RESERVED_REGIONS);
+ continue;
+ }
/*
* Save the nodes for the dynamically-placed regions
* into an array which will be used for allocation right
--
2.43.0