rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

JIRA: https://issues.redhat.com/browse/RHEL-82456
CVE: CVE-2024-58069

commit 3ab8c5e
Author: Oleksij Rempel <linux@rempel-privat.de>
Date:   Wed Dec 18 20:34:58 2024 +0100

    rtc: pcf85063: fix potential OOB write in PCF85063 NVMEM read

    The nvmem interface supports variable buffer sizes, while the regmap
    interface operates with fixed-size storage. If an nvmem client uses a
    buffer size less than 4 bytes, regmap_read will write out of bounds
    as it expects the buffer to point at an unsigned int.

    Fix this by using an intermediary unsigned int to hold the value.

    Fixes: fadfd09 ("rtc: pcf85063: add nvram support")
    Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
    Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
    Link: https://lore.kernel.org/r/20241218-rtc-pcf85063-stack-corruption-v1-1-12fd0ee0f046@pengutronix.de
    Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>

Author: CKI Backport Bot

drivers/rtc/rtc-pcf85063.c

@@ -322,7 +322,16 @@ static const struct rtc_class_ops pcf85063_rtc_ops = {
 static int pcf85063_nvmem_read(void *priv, unsigned int offset,
 			       void *val, size_t bytes)
 {
-	return regmap_read(priv, PCF85063_REG_RAM, val);
+	unsigned int tmp;
+	int ret;
+
+	ret = regmap_read(priv, PCF85063_REG_RAM, &tmp);
+	if (ret < 0)
+		return ret;
+
+	*(u8 *)val = tmp;
+
+	return 0;
 }
 
 static int pcf85063_nvmem_write(void *priv, unsigned int offset,