| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 23 Mar 2016 15:00:12 -0700
From: Stephen Boyd <sboyd@...eaurora.org>
To: Hauke Mehrtens <hauke@...ke-m.de>
Cc: Aaro Koskinen <aaro.koskinen@....fi>,
Rafał Miłecki <zajec5@...il.com>,
Andrew Morton <akpm@...ux-foundation.org>,
linux-mips@...ux-mips.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] drivers/firmware/broadcom/bcm47xx_nvram.c: fix
incorrect __ioread32_copy
On 03/23, Hauke Mehrtens wrote:
> On 03/16/2016 12:06 AM, Aaro Koskinen wrote:
> > Commit 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use
> > __ioread32_copy() instead of open-coding") switched to use a generic copy
> > function, but failed to notice that the header pointer is updated between
> > the two copies, resulting in bogus data being copied in the latter one.
> > Fix by keeping the old header pointer.
> >
> > The patch fixes totally broken networking on WRT54GL router (both LAN
> > and WLAN interfaces fail to probe).
> >
> > Fixes: 1f330c327900 ("drivers/firmware/broadcom/bcm47xx_nvram.c: use __ioread32_copy() instead of open-coding")
> > Signed-off-by: Aaro Koskinen <aaro.koskinen@....fi>
> > ---
> >
> > v2: Avoid using the device memory after the first copy when
> > checking the nvram length, suggested by Stephen Boyd.
> >
> > v1: http://marc.info/?t=145807850800003&r=1&w=2
> >
> > drivers/firmware/broadcom/bcm47xx_nvram.c | 5 ++---
> > 1 file changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/firmware/broadcom/bcm47xx_nvram.c b/drivers/firmware/broadcom/bcm47xx_nvram.c
> > index 0c2f0a6..0b631e5 100644
> > --- a/drivers/firmware/broadcom/bcm47xx_nvram.c
> > +++ b/drivers/firmware/broadcom/bcm47xx_nvram.c
> > @@ -94,15 +94,14 @@ static int nvram_find_and_copy(void __iomem *iobase, u32 lim)
> >
> > found:
> > __ioread32_copy(nvram_buf, header, sizeof(*header) / 4);
> > - header = (struct nvram_header *)nvram_buf;
> > - nvram_len = header->len;
> > + nvram_len = ((struct nvram_header *)(nvram_buf))->len;
>
> I do not understand why this change is needed? Doesn't the old code do
> exactly the same as the new one?
>
> The old code updated the header pointer and then accesses a member, the
> new one directly accesses this member without updating this pointer.
>
> I assume, I am missing something. ;-)
The goal is to access 'nvram_buf' which is a copy of 'header'.
This is to avoid any problems with accessing device memory, i.e.
'header', without using the appropriate I/O accessors (readl,
readw, readb).
The bug that's being fixed though is to make sure 'header'
doesn't get overwritten with the pointer to the in-memory copy
that we just made. Further down in this function we copy the
second 'header' that lives in device memory, and repointing
'header' to the in-memory copy breaks that.
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project
Powered by blists - more mailing lists