| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <152341170436.180276.10941810507471101174@swboyd.mtv.corp.google.com>
Date: Tue, 10 Apr 2018 18:55:04 -0700
From: Stephen Boyd <sboyd@...nel.org>
To: Andy Gross <andy.gross@...aro.org>,
Avaneesh Kumar Dwivedi <akdwived@...eaurora.org>,
Bjorn Andersson <bjorn.andersson@...aro.org>,
Niklas Cassel <niklas.cassel@...aro.org>,
Stephen Boyd <sboyd@...eaurora.org>
Cc: linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] firmware: qcom: scm: Fix crash in qcom_scm_call_atomic1()
Quoting Niklas Cassel (2018-04-09 14:40:15)
> qcom_scm_call_atomic1() can crash with a NULL pointer dereference at
> qcom_scm_call_atomic1+0x30/0x48.
>
> disassembly of qcom_scm_call_atomic1():
> ...
> <0xc08d73b0 <+12>: ldr r3, [r12]
> ... (no instruction explicitly modifies r12)
> 0xc08d73cc <+40>: smc 0
> ... (no instruction explicitly modifies r12)
> 0xc08d73d4 <+48>: ldr r3, [r12] <- crashing instruction
> ...
>
> Since the first ldr is successful, and since r12 isn't explicitly
> modified by any instruction between the first and the second ldr,
> it must have been modified by the smc call, which is ok,
> since r12 is caller save according to the AAPCS.
>
> Add r12 to the clobber list so that the compiler knows that the
> callee potentially overwrites the value in r12.
> Clobber descriptions may not in any way overlap with an input or
> output operand.
>
> Signed-off-by: Niklas Cassel <niklas.cassel@...aro.org>
> ---
Reviewed-by: Stephen Boyd <sboyd@...nel.org>
Powered by blists - more mailing lists