lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20200525214726.GA19717@toerring.de>
Date:   Mon, 25 May 2020 23:47:26 +0200
From:   Jens Thoms Toerring <jt@...rring.de>
To:     Mark Brown <broonie@...nel.org>, linux-kernel@...r.kernel.org
Subject: [PATCH v2] regmap: fix alignment issues

The assembly and disassembly of data to be sent to or received from a
device invoke functions (regmap_format_XXX() and regmap_parse_XXX())
that extract or insert data items into a buffer. In some cases these
functions are invoked with buffer pointers with odd addresses but try
to directly assign from or to those address. On architectures with
strict alignment requirements this leads to kernel crashes for u16 and
u32 values. The assignments have are replaced by memcpy() calls.

Signed-off-by: Jens Thoms Toerring <jt@...rring.de>
---
 drivers/base/regmap/regmap.c | 40 ++++++++++++++++++++++++----------------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c
index 58cfb32..d495ce1 100644
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -193,15 +193,17 @@ static void regmap_format_8(void *buf, unsigned int val, unsigned int shift)
 
 static void regmap_format_16_be(void *buf, unsigned int val, unsigned int shift)
 {
-	__be16 *b = buf;
+	__be16 v = cpu_to_be16(val << shift);
 
-	b[0] = cpu_to_be16(val << shift);
+	memcpy(buf, &v, sizeof(v));
 }
 
 static void regmap_format_16_native(void *buf, unsigned int val,
 				    unsigned int shift)
 {
-	*(u16 *)buf = val << shift;
+	u16 v = val << shift;
+
+	memcpy(buf, &v, sizeof(v));
 }
 
 static void regmap_format_24(void *buf, unsigned int val, unsigned int shift)
@@ -217,15 +219,17 @@ static void regmap_format_24(void *buf, unsigned int val, unsigned int shift)
 
 static void regmap_format_32_be(void *buf, unsigned int val, unsigned int shift)
 {
-	__be32 *b = buf;
+	__be32 v = cpu_to_be32(val << shift);
 
-	b[0] = cpu_to_be32(val << shift);
+	memcpy(buf, &v, sizeof(v));
 }
 
 static void regmap_format_32_native(void *buf, unsigned int val,
 				    unsigned int shift)
 {
-	*(u32 *)buf = val << shift;
+	u32 v = val << shift;
+
+	memcpy(buf, &v, sizeof(v));
 }
 
 static unsigned int regmap_parse_8(void *buf)
@@ -237,16 +241,18 @@ static unsigned int regmap_parse_8(void *buf)
 
 static unsigned int regmap_parse_16_be(void *buf)
 {
-	__be16 *b = buf;
+	__be16 v;
 
-	b[0] = be16_to_cpu(b[0]);
-
-	return b[0];
+	memcpy(&v, buf, sizeof(v));
+	return be16_to_cpu(v);
 }
 
 static unsigned int regmap_parse_16_native(void *buf)
 {
-	return *(u16 *)buf;
+	u16 v;
+
+	memcpy(&v, buf, sizeof(v));
+	return v;
 }
 
 static unsigned int regmap_parse_24(void *buf)
@@ -261,16 +267,18 @@ static unsigned int regmap_parse_24(void *buf)
 
 static unsigned int regmap_parse_32_be(void *buf)
 {
-	__be32 *b = buf;
-
-	b[0] = be32_to_cpu(b[0]);
+	__be32 v;
 
-	return b[0];
+	memcpy(&v, buf, sizeof(v));
+	return be32_to_cpu(v);
 }
 
 static unsigned int regmap_parse_32_native(void *buf)
 {
-	return *(u32 *)buf;
+	u32 v;
+
+	memcpy(&v, buf, sizeof(v));
+	return v;
 }
 
 static void regmap_lock_mutex(void *__map)
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ