lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1564158758.2311.49.camel@pengutronix.de>
Date:   Fri, 26 Jul 2019 18:32:38 +0200
From:   Lucas Stach <l.stach@...gutronix.de>
To:     Stefan Agner <stefan@...er.ch>, hongxing.zhu@....com
Cc:     lorenzo.pieralisi@....com, jingoohan1@...il.com,
        gustavo.pimentel@...opsys.com, tpiepho@...inj.com,
        leonard.crestez@....com, bhelgaas@...gle.com,
        linux-pci@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH RESEND v8] PCI: imx6: limit DBI register length

Am Freitag, den 26.07.2019, 16:40 +0200 schrieb Stefan Agner:
> Define the length of the DBI registers and limit config space to its
> length. This makes sure that the kernel does not access registers
> beyond that point, avoiding the following abort on a i.MX 6Quad:
>   # cat /sys/devices/soc0/soc/1ffc000.pcie/pci0000\:00/0000\:00\:00.0/config
>   [  100.021433] Unhandled fault: imprecise external abort (0x1406) at 0xb6ea7000
>   ...
>   [  100.056423] PC is at dw_pcie_read+0x50/0x84
>   [  100.060790] LR is at dw_pcie_rd_own_conf+0x44/0x48
>   ...
> 
> Signed-off-by: Stefan Agner <stefan@...er.ch>

Reviewed-by: Lucas Stach <l.stach@...gutronix.de>

> ---
> Changes in v3:
> - Rebase on pci/dwc
> Changes in v4:
> - Rebase on pci/dwc
> Changes in v5:
> - Rebased ontop of pci/dwc
> - Use DBI length of 0x200
> Changes in v6:
> - Use pci_dev.cfg_size mechanism to limit config space (this made patch 1
>   of previous versions of this patchset obsolete).
> Changes in v7:
> - Restrict fixup to Synopsys/0xabcd
> - Apply cfg_size limitation only if dbi_length is specified
> Changes in v8:
> - Restrict fixup for Synopsys/0xabcd and class PCI bridge
> - Check device driver to be pci-imx6
> 
>  drivers/pci/controller/dwc/pci-imx6.c | 33 +++++++++++++++++++++++++++
>  1 file changed, 33 insertions(+)
> 
> diff --git a/drivers/pci/controller/dwc/pci-imx6.c b/drivers/pci/controller/dwc/pci-imx6.c
> index 9b5cb5b70389..8b8efa3063f5 100644
> --- a/drivers/pci/controller/dwc/pci-imx6.c
> +++ b/drivers/pci/controller/dwc/pci-imx6.c
> @@ -57,6 +57,7 @@ enum imx6_pcie_variants {
>  struct imx6_pcie_drvdata {
> >  	enum imx6_pcie_variants variant;
> >  	u32 flags;
> > +	int dbi_length;
>  };
>  
>  struct imx6_pcie {
> @@ -1212,6 +1213,7 @@ static const struct imx6_pcie_drvdata drvdata[] = {
> >  		.variant = IMX6Q,
> >  		.flags = IMX6_PCIE_FLAG_IMX6_PHY |
> >  			 IMX6_PCIE_FLAG_IMX6_SPEED_CHANGE,
> > +		.dbi_length = 0x200,
> >  	},
> >  	[IMX6SX] = {
> >  		.variant = IMX6SX,
> @@ -1254,6 +1256,37 @@ static struct platform_driver imx6_pcie_driver = {
> >  	.shutdown = imx6_pcie_shutdown,
>  };
>  
> +static void imx6_pcie_quirk(struct pci_dev *dev)
> +{
> > +	struct pci_bus *bus = dev->bus;
> > +	struct pcie_port *pp = bus->sysdata;
> +
> > +	/* Bus parent is the PCI bridge, its parent is this platform driver */
> > +	if (!bus->dev.parent || !bus->dev.parent->parent)
> > +		return;
> +
> > +	/* Make sure we only quirk devices associated with this driver */
> > +	if (bus->dev.parent->parent->driver != &imx6_pcie_driver.driver)
> > +		return;
> +
> > +	if (bus->number == pp->root_bus_nr) {
> > +		struct dw_pcie *pci = to_dw_pcie_from_pp(pp);
> > +		struct imx6_pcie *imx6_pcie = to_imx6_pcie(pci);
> +
> > +		/*
> > +		 * Limit config length to avoid the kernel reading beyond
> > +		 * the register set and causing an abort on i.MX 6Quad
> > +		 */
> > +		if (imx6_pcie->drvdata->dbi_length) {
> > +			dev->cfg_size = imx6_pcie->drvdata->dbi_length;
> > +			dev_info(&dev->dev, "Limiting cfg_size to %d\n",
> > +					dev->cfg_size);
> > +		}
> > +	}
> +}
> +DECLARE_PCI_FIXUP_CLASS_HEADER(PCI_VENDOR_ID_SYNOPSYS, 0xabcd,
> > +			PCI_CLASS_BRIDGE_PCI, 8, imx6_pcie_quirk);
> +
>  static int __init imx6_pcie_init(void)
>  {
>  #ifdef CONFIG_ARM

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ