nvmem ZynqMP Buffer Overflow

Vulnerability analysis

Root Cause: The zynqmp_nvmem driver incorrectly used sizeof(bytes) instead of bytes when allocating DMA buffers and performing memory operations. Since bytes is a size_t variable, sizeof(bytes) returns the size of the size_t type (typically 8 bytes on 64-bit systems) rather than the actual buffer size needed. This results in undersized DMA buffer allocations that can lead to out-of-bounds memory access and corruption.

Attack Surface: This vulnerability affects local access to the ZynqMP eFuse NVMEM interface. An attacker would need local access with sufficient privileges to interact with the NVMEM subsystem. The bug is triggered when reading or writing eFuse data through the standard NVMEM interface, making it accessible to any process with appropriate device permissions.

Fix Mechanism: The patch corrects three instances of incorrect buffer sizing: (1) changes dma_alloc_coherent allocation from sizeof(bytes) to bytes, (2) changes dma_free_coherent deallocation from sizeof(bytes) to bytes, and (3) changes memcpy operation from copying bytes to copying sizeof(value) for the specific case of copying to an integer variable. Additionally, the value variable type is changed from int to unsigned int for consistency.