lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <1336565592-17577-1-git-send-email-ldewangan@nvidia.com>
Date:	Wed,  9 May 2012 17:43:12 +0530
From:	Laxman Dewangan <ldewangan@...dia.com>
To:	broonie@...nsource.wolfsonmicro.com, gregkh@...uxfoundation.org
Cc:	linux-kernel@...r.kernel.org,
	Laxman Dewangan <ldewangan@...dia.com>
Subject: [PATCH] regmap: fix possible memory corruption in regmap_bulk_read()

The function regmap_bulk_read() calls the regmap_read() for
each register if set of register has volatile and cache is
enabled. In this case, last few register read makes the memory
corruption if the register size is not the size of unsigned int.
The regam_read() takes argument as unsigned int for returning
value and it update the value as
	*val = map->format.parse_val(map->work_buf);
This causes complete 4 bytes (size of unsigned int) to get written.
Now if client pass the memory pointer for value which is equal to the
required size of register count in regmap_bulk_read() then last few
register read actually update the memory beyond passed pointer size.

Avoid this by using local variable for read and then do memcpy()
for actual byte copy to passed pointer based on register size.

I allocated one pointer ptr and take first 16 bytes dump of that
pointer then call regmap_bulk_read() with pointer which is just
on top of this allocated pointer and register count of 128. Here
register size is 1 byte.
The memory trace of last 5 register read are as follows:

[    5.438589] regmap_bulk_read after regamp_read() for register 122
[    5.447421] 0xef993c20 0xef993c00 0x00000000 0x00000001
[    5.467535] regmap_bulk_read after regamp_read() for register 123
[    5.476374] 0xef993c20 0xef993c00 0x00000000 0x00000001
[    5.496425] regmap_bulk_read after regamp_read() for register 124
[    5.505260] 0xef993c20 0xef993c00 0x00000000 0x00000001
[    5.525372] regmap_bulk_read after regamp_read() for register 125
[    5.534205] 0xef993c00 0xef993c00 0x00000000 0x00000001
[    5.554258] regmap_bulk_read after regamp_read() for register 126
[    5.563100] 0xef990000 0xef993c00 0x00000000 0x00000001
[    5.554258] regmap_bulk_read after regamp_read() for register 127
[    5.587108] 0xef000000 0xef993c00 0x00000000 0x00000001

Here it is observed that the memory content at first word started changing
on last 3 regmap_read() and so corruption happened.

Signed-off-by: Laxman Dewangan <ldewangan@...dia.com>
---
This patch is against the linus' tree.
Added tree as
git remote add -t master -f linus
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git

 drivers/base/regmap/regmap.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 7a3f535..bb80853 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -775,9 +775,11 @@ int regmap_bulk_read(struct regmap *map, unsigned int reg, void *val,
 			map->format.parse_val(val + i);
 	} else {
 		for (i = 0; i < val_count; i++) {
-			ret = regmap_read(map, reg + i, val + (i * val_bytes));
+			unsigned int ival;
+			ret = regmap_read(map, reg + i, &ival);
 			if (ret != 0)
 				return ret;
+			memcpy(val + (i * val_bytes), &ival, val_bytes);
 		}
 	}
 
-- 
1.7.1.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ