| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 6 Apr 2017 00:01:11 -0700
From: Frank Rowand <frowand.list@...il.com>
To: Sricharan R <sricharan@...eaurora.org>, robin.murphy@....com,
will.deacon@....com, joro@...tes.org, lorenzo.pieralisi@....com,
iommu@...ts.linux-foundation.org,
linux-arm-kernel@...ts.infradead.org,
linux-arm-msm@...r.kernel.org, m.szyprowski@...sung.com,
bhelgaas@...gle.com, linux-pci@...r.kernel.org,
linux-acpi@...r.kernel.org, tn@...ihalf.com, hanjun.guo@...aro.org,
okaya@...eaurora.org, robh+dt@...nel.org,
devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
sudeep.holla@....com, rjw@...ysocki.net, lenb@...nel.org,
catalin.marinas@....com, arnd@...db.de, linux-arch@...r.kernel.org,
gregkh@...uxfoundation.org
Subject: Re: [PATCH V10 06/12] of: device: Fix overflow of coherent_dma_mask
On 04/04/17 03:18, Sricharan R wrote:
> Size of the dma-range is calculated as coherent_dma_mask + 1
> and passed to arch_setup_dma_ops further. It overflows when
> the coherent_dma_mask is set for full 64 bits 0xFFFFFFFFFFFFFFFF,
> resulting in size getting passed as 0 wrongly. Fix this by
> passsing in max(mask, mask + 1). Note that in this case
> when the mask is set to full 64bits, we will be passing the mask
> itself to arch_setup_dma_ops instead of the size. The real fix
> for this should be to make arch_setup_dma_ops receive the
> mask and handle it, to be done in the future.
>
> Signed-off-by: Sricharan R <sricharan@...eaurora.org>
> ---
> drivers/of/device.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/of/device.c b/drivers/of/device.c
> index c17c19d..c2ae6bb 100644
> --- a/drivers/of/device.c
> +++ b/drivers/of/device.c
> @@ -107,7 +107,7 @@ void of_dma_configure(struct device *dev, struct device_node *np)
> ret = of_dma_get_range(np, &dma_addr, &paddr, &size);
> if (ret < 0) {
> dma_addr = offset = 0;
> - size = dev->coherent_dma_mask + 1;
> + size = max(dev->coherent_dma_mask, dev->coherent_dma_mask + 1);
> } else {
> offset = PFN_DOWN(paddr - dma_addr);
> dev_dbg(dev, "dma_pfn_offset(%#08lx)\n", offset);
>
NACK.
Passing an invalid size to arch_setup_dma_ops() is only part of the problem.
size is also used in of_dma_configure() before calling arch_setup_dma_ops():
dev->coherent_dma_mask = min(dev->coherent_dma_mask,
DMA_BIT_MASK(ilog2(dma_addr + size)));
*dev->dma_mask = min((*dev->dma_mask),
DMA_BIT_MASK(ilog2(dma_addr + size)));
which would be incorrect for size == 0xffffffffffffffffULL when
dma_addr != 0. So the proposed fix really is not papering over
the base problem very well.
I agree that the proper solution involves passing a mask instead
of a size to arch_setup_dma_ops().
-Frank
Powered by blists - more mailing lists