| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <bc9af3437b823d9acbfebdeeffdad04c@codeaurora.org>
Date: Wed, 22 Jul 2020 09:48:03 +0530
From: Sibi Sankar <sibis@...eaurora.org>
To: Bjorn Andersson <bjorn.andersson@...aro.org>
Cc: agross@...nel.org, linux-arm-msm@...r.kernel.org,
linux-remoteproc@...r.kernel.org, linux-kernel@...r.kernel.org,
evgreen@...omium.org, ohad@...ery.com,
linux-kernel-owner@...r.kernel.org
Subject: Re: [PATCH v2 1/2] remoteproc: qcom_q6v5_mss: Add modem debug policy
support
On 2020-07-22 09:24, Bjorn Andersson wrote:
> On Tue 21 Jul 04:29 PDT 2020, Sibi Sankar wrote:
>
>> Add modem debug policy support which will enable coredumps and live
>> debug support when the msadp firmware is present on secure devices.
>>
>> Signed-off-by: Sibi Sankar <sibis@...eaurora.org>
>> ---
>>
>> v2:
>> * Use request_firmware_direct [Bjorn]
>> * Use Bjorn's template to show if debug policy is present
>> * Add size check to prevent memcpy out of bounds [Bjorn]
>>
>> drivers/remoteproc/qcom_q6v5_mss.c | 16 +++++++++++++++-
>> 1 file changed, 15 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/remoteproc/qcom_q6v5_mss.c
>> b/drivers/remoteproc/qcom_q6v5_mss.c
>> index 0b6f260eb5349..49cd16e050533 100644
>> --- a/drivers/remoteproc/qcom_q6v5_mss.c
>> +++ b/drivers/remoteproc/qcom_q6v5_mss.c
>> @@ -189,6 +189,7 @@ struct q6v5 {
>> phys_addr_t mba_phys;
>> void *mba_region;
>> size_t mba_size;
>> + size_t dp_size;
>>
>> phys_addr_t mpss_phys;
>> phys_addr_t mpss_reloc;
>> @@ -408,6 +409,14 @@ static int q6v5_xfer_mem_ownership(struct q6v5
>> *qproc, int *current_perm,
>> static int q6v5_load(struct rproc *rproc, const struct firmware *fw)
>> {
>> struct q6v5 *qproc = rproc->priv;
>> + const struct firmware *dp_fw;
>> +
>> + if (!request_firmware_direct(&dp_fw, "msadp", qproc->dev) &&
>> fw->size <= SZ_1M &&
>> + (SZ_1M + dp_fw->size) <= qproc->mba_size) {
>> + memcpy(qproc->mba_region + SZ_1M, dp_fw->data, dp_fw->size);
>> + qproc->dp_size = dp_fw->size;
>> + release_firmware(dp_fw);
>
> If request_firmware_direct() succeeds, but return a firmware blob
> bigger
> than mba_size - SZ_1M you won't get here and will end up leaking dp_fw.
>
> Additionally, there really isn't a need for requesting the firmware in
> the first place if fw->size > SZ_1M.
>
> So I think it's better if you break this out in it's own function where
> you don't need to squeeze everything into one or two conditionals.
I'll fix dp_fw leak and move it
to a new func. Thanks for the
review.
>
> Regards,
> Bjorn
>
>> + }
>>
>> memcpy(qproc->mba_region, fw->data, fw->size);
>>
>> @@ -896,6 +905,10 @@ static int q6v5_mba_load(struct q6v5 *qproc)
>> }
>>
>> writel(qproc->mba_phys, qproc->rmb_base + RMB_MBA_IMAGE_REG);
>> + if (qproc->dp_size) {
>> + writel(qproc->mba_phys + SZ_1M, qproc->rmb_base +
>> RMB_PMI_CODE_START_REG);
>> + writel(qproc->dp_size, qproc->rmb_base + RMB_PMI_CODE_LENGTH_REG);
>> + }
>>
>> ret = q6v5proc_reset(qproc);
>> if (ret)
>> @@ -1257,7 +1270,8 @@ static int q6v5_start(struct rproc *rproc)
>> if (ret)
>> return ret;
>>
>> - dev_info(qproc->dev, "MBA booted, loading mpss\n");
>> + dev_info(qproc->dev, "MBA booted with%s debug policy, loading
>> mpss\n",
>> + qproc->dp_size ? "" : "out");
>>
>> ret = q6v5_mpss_load(qproc);
>> if (ret)
>> --
>> The Qualcomm Innovation Center, Inc. is a member of the Code Aurora
>> Forum,
>> a Linux Foundation Collaborative Project
>>
--
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,
a Linux Foundation Collaborative Project.
Powered by blists - more mailing lists