lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 4 Sep 2019 07:41:35 +0000
From:   Anson Huang <anson.huang@....com>
To:     Leonard Crestez <leonard.crestez@....com>,
        Aisheng Dong <aisheng.dong@....com>
CC:     "shawnguo@...nel.org" <shawnguo@...nel.org>,
        "s.hauer@...gutronix.de" <s.hauer@...gutronix.de>,
        "kernel@...gutronix.de" <kernel@...gutronix.de>,
        "festevam@...il.com" <festevam@...il.com>,
        Daniel Baluta <daniel.baluta@....com>,
        Abel Vesa <abel.vesa@....com>,
        "linux-arm-kernel@...ts.infradead.org" 
        <linux-arm-kernel@...ts.infradead.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        dl-linux-imx <linux-imx@....com>
Subject: RE: [PATCH] soc: imx: imx-scu: Getting UID from SCU should have
 response

Hi, Leonard

> On 2019-09-04 10:14 AM, Anson Huang wrote:
> > The SCU firmware API for getting UID should have response, otherwise,
> > the message stored in function stack could be released and then the
> > response data received from SCU will be stored into that released
> > stack and cause kernel NULL pointer dump.
> 
> This fix looks good, but looking at imx-scu code it seems that passing the
> incorrect "have_resp" argument to imx_scu_call_rpc or just receiving an
> unexpected message from SCFW will always result in kernel stack corruption!
> 
> This is worth handling inside imx-scu itself: unless a response was explicitly
> requested it should ignore and print a warning on rx, for example by setting
> imx_sc_ipc to NULL when not waiting for a response.
> 
> Holding on to arbitrary stack pointers is bad.

We noticed this issue recently during the development of ON/OFF button support,
this UID is lucky, the stack is NOT released when SCU response data is received, but
this fix should be applied.

We talked to Chuck about adding return value for these special APIs, response data
needed but no return value from SCU, so very likely we will need a patch in imx_sc_ipc
driver to enhance/handle that, will do a patch for it later.

Thanks,
Anson

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ