| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 9 May 2012 17:20:39 +0530
From: Laxman Dewangan <ldewangan@...dia.com>
To: broonie@...nsource.wolfsonmicro.com, gregkh@...uxfoundation.org
Cc: linux-kernel@...r.kernel.org,
Laxman Dewangan <ldewangan@...dia.com>
Subject: [PATCH] regmap: fix possible memory corruption in regmap_bulk_read()
The function regmap_bulk_read() calls the regmap_read() for
each register if set of register has volatile and cache is
enabled. In this case, last few register read makes the memory
corruption if the register size is not the size of unsigned int.
The regam_read() takes argument as unsigned int for returning
value and it update the value as
*val = map->format.parse_val(map->work_buf);
This causes complete 4 bytes (size of unsigned int) to get written.
Now if client pass the memory pointer for value which is equal to the
required size of register count in regmap_bulk_read() then last few
register read actually update the memory beyond passed pointer size.
Avoid this by using local variable for read and then do memcpy()
for actual byte copy to passed pointer based on register size.
I allocated one pointer ptr and take first 16 bytes dump of that
pointer then call regmap_bulk_read() with pointer which is just
on top of this allocated pointer and register count of 128. Here
register size is 1 byte.
The memory trace of last 5 register read are as follows:
[ 5.438589] regmap_bulk_read after regamp_read() for register 122
[ 5.447421] 0xef993c20 0xef993c00 0x00000000 0x00000001
[ 5.467535] regmap_bulk_read after regamp_read() for register 123
[ 5.476374] 0xef993c20 0xef993c00 0x00000000 0x00000001
[ 5.496425] regmap_bulk_read after regamp_read() for register 124
[ 5.505260] 0xef993c20 0xef993c00 0x00000000 0x00000001
[ 5.525372] regmap_bulk_read after regamp_read() for register 125
[ 5.534205] 0xef993c00 0xef993c00 0x00000000 0x00000001
[ 5.554258] regmap_bulk_read after regamp_read() for register 126
[ 5.563100] 0xef990000 0xef993c00 0x00000000 0x00000001
[ 5.554258] regmap_bulk_read after regamp_read() for register 127
[ 5.587108] 0xef000000 0xef993c00 0x00000000 0x00000001
Here it is observed that the memory content at first word started changing
on last 3 regmap_read() and so corruption happened.
Signed-off-by: Laxman Dewangan <ldewangan@...dia.com>
---
drivers/base/regmap/regmap.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 8a25006..0d8a70a 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -863,10 +863,11 @@ int regmap_bulk_read(struct regmap *map, unsigned int reg, void *val,
map->format.parse_val(val + i);
} else {
for (i = 0; i < val_count; i++) {
- ret = regmap_read(map, reg + (i * map->reg_stride),
- val + (i * val_bytes));
+ unsigned int ival;
+ ret = regmap_read(map, reg + (i * map->reg_stride), &ival);
if (ret != 0)
return ret;
+ memcpy(val + (i * val_bytes), &ival, val_bytes);
}
}
--
1.7.1.1
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists