fix(rcar3-drivers): add integer overflow check Add in the cert length calc function an integer overflow check Signed-off-by: Tobias Rist <tobias.rist@joynext.com> Signed-off-by: Yoshifumi Hosoya <yoshifumi.hosoya.wj@renesas.com> Change-Id: I80e93582cd2d6006186e1573406b4945943b9422

commit: 55351b92cce26e809a63045c559f4e1e45763b49 [log] [tgz]
author: Tobias Rist <tobias.rist@joynext.com> Tue Mar 07 09:00:09 2023 +0100
committer: Marek Vasut <marek.vasut+renesas@mailbox.org> Sun Dec 03 10:49:11 2023 +0100
tree: 7c0e2763c8f4b4556797e7902f1d05c8624edbca
parent: e2ed3e7ecea338ee7c7a2192e2983b452bcd8ada [diff]
diff --git a/drivers/renesas/common/io/io_rcar.c b/drivers/renesas/common/io/io_rcar.c
index 45ef386..8bbf988 100644
--- a/drivers/renesas/common/io/io_rcar.c
+++ b/drivers/renesas/common/io/io_rcar.c

@@ -244,8 +244,16 @@
 			dstl = cert + RCAR_CERT_INFO_DST_OFFSET;
 			break;
 		}
+		val = mmio_read_32(size);
+		if (val > (UINT32_MAX / 4)) {
+			ERROR("BL2: %s[%d] uint32 overflow!\n",
+				__func__, __LINE__);
+			*dst = 0;
+			*len = 0;
+			return;
+		}
 
-		*len = mmio_read_32(size) * 4U;
+		*len = val * 4U;
 		dsth = dstl + 4U;
 		*dst = ((uintptr_t) mmio_read_32(dsth) << 32) +
 		    ((uintptr_t) mmio_read_32(dstl));
commit	55351b92cce26e809a63045c559f4e1e45763b49	[log] [tgz]
author	Tobias Rist <tobias.rist@joynext.com>	Tue Mar 07 09:00:09 2023 +0100
committer	Marek Vasut <marek.vasut+renesas@mailbox.org>	Sun Dec 03 10:49:11 2023 +0100
tree	7c0e2763c8f4b4556797e7902f1d05c8624edbca
parent	e2ed3e7ecea338ee7c7a2192e2983b452bcd8ada [diff]