lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200712100118.13343-2-jonathanh@nvidia.com>
Date:   Sun, 12 Jul 2020 11:01:14 +0100
From:   Jon Hunter <jonathanh@...dia.com>
To:     Thierry Reding <thierry.reding@...il.com>
CC:     <linux-tegra@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        Timo Alho <talho@...dia.com>, Jon Hunter <jonathanh@...dia.com>
Subject: [PATCH 1/5] firmware: tegra: add return code checks and increase debugfs size

From: Timo Alho <talho@...dia.com>

Add checking of the BPMP-FW return code values for MRQ_DEBUGFS calls.

Also, development versions of the firmware may have debugfs with
directory structure larger than 256Kb. Hence increase the size of the
memory buffer to accommodate those firmware revisions.

And finally, ensure that no access outside of allocated memory buffer
happens in case BPMP-FW returns an invalid response size (nbytes) from
mrq_debugfs_dumpdir() call.

Signed-off-by: Timo Alho <talho@...dia.com>
Signed-off-by: Jon Hunter <jonathanh@...dia.com>
---
 drivers/firmware/tegra/bpmp-debugfs.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/firmware/tegra/bpmp-debugfs.c b/drivers/firmware/tegra/bpmp-debugfs.c
index 3f0a89ce131a..08e0f05f46c6 100644
--- a/drivers/firmware/tegra/bpmp-debugfs.c
+++ b/drivers/firmware/tegra/bpmp-debugfs.c
@@ -127,6 +127,8 @@ static int mrq_debugfs_read(struct tegra_bpmp *bpmp,
 	err = tegra_bpmp_transfer(bpmp, &msg);
 	if (err < 0)
 		return err;
+	else if (msg.rx.ret < 0)
+		return -EINVAL;
 
 	*nbytes = (size_t)resp.fop.nbytes;
 
@@ -184,6 +186,8 @@ static int mrq_debugfs_dumpdir(struct tegra_bpmp *bpmp, dma_addr_t addr,
 	err = tegra_bpmp_transfer(bpmp, &msg);
 	if (err < 0)
 		return err;
+	else if (msg.rx.ret < 0)
+		return -EINVAL;
 
 	*nbytes = (size_t)resp.dumpdir.nbytes;
 
@@ -374,7 +378,7 @@ int tegra_bpmp_init_debugfs(struct tegra_bpmp *bpmp)
 {
 	dma_addr_t phys;
 	void *virt;
-	const size_t sz = SZ_256K;
+	const size_t sz = SZ_512K;
 	size_t nbytes;
 	int ret;
 	struct dentry *root;
@@ -394,8 +398,12 @@ int tegra_bpmp_init_debugfs(struct tegra_bpmp *bpmp)
 	}
 
 	ret = mrq_debugfs_dumpdir(bpmp, phys, sz, &nbytes);
-	if (ret < 0)
+	if (ret < 0) {
+		goto free;
+	} else if (nbytes > sz) {
+		ret = -EINVAL;
 		goto free;
+	}
 
 	ret = create_debugfs_mirror(bpmp, virt, nbytes, root);
 free:
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ