[PATCH] power: reset: Fix array out of bounds access

[Sascha Hauer <s.hauer@pengutronix.de>]

In reboot_mode_register() we iterate over the properties of the given
node in order to count the valid properties. The count is then used to
allocate arrays which are then filled in another iteration loop over the
properties. In that loop we use the array entries before we actually
realize that the property is invalid and shall be skipped. That means
we access an out of bounds array entry when the very last property in
the node is invalid. In my case this blew up when enabling
CONFIG_OF_OVERLAY_LIVE which results in an additional phandle = <xy>
property in the node.

Fix this by simply allocating one array entry more than finally needed.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 drivers/power/reset/reboot-mode.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/power/reset/reboot-mode.c b/drivers/power/reset/reboot-mode.c
index 375ef0adcb..7f940a2d88 100644
--- a/drivers/power/reset/reboot-mode.c
+++ b/drivers/power/reset/reboot-mode.c
@@ -139,8 +139,13 @@ int reboot_mode_register(struct reboot_mode_driver *reboot,
 
 	reboot->nmodes = nmodes;
 	reboot->nelems = nelems;
-	reboot->magics = xzalloc(nmodes * nelems * sizeof(u32));
-	reboot->modes = xzalloc(nmodes * sizeof(const char *));
+
+	/*
+	 * Allocate one entry more than necessary, because in the loop below
+	 * we use an entry before we realize that the property is not valid.
+	 */
+	reboot->magics = xzalloc((nmodes + 1) * nelems * sizeof(u32));
+	reboot->modes = xzalloc((nmodes + 1) * sizeof(const char *));
 
 	reboot_mode_print(reboot, "registering magic", reboot_mode);
 
-- 
2.30.2