lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 22 Apr 2021 21:10:21 +0100
From:   Joe Burmeister <joe.burmeister@...tank.co.uk>
To:     Florian Fainelli <f.fainelli@...il.com>,
        Mark Brown <broonie@...nel.org>, Ray Jui <rjui@...adcom.com>,
        Scott Branden <sbranden@...adcom.com>,
        bcm-kernel-feedback-list@...adcom.com,
        Nicolas Saenz Julienne <nsaenzjulienne@...e.de>,
        linux-spi@...r.kernel.org, linux-rpi-kernel@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] spi: bcm2835: Fix buffer overflow with CS able to go
 beyond limit.

> On 4/20/2021 1:34 AM, Joe Burmeister wrote:
>> It was previoulsy possible to have a device tree with more chips than
>> the driver supports and go off the end of CS arrays.
> Do you mind walking me through the code how that could have happened? We
> have spi_register_controller() call of_spi_get_gpio_numbers() which has
> the following:
>
> ctlr->num_chipselect = max_t(int, nb, ctlr->num_chipselect);
>
> such that what the controller has is the maximum between the number of
> 'cs-gpios' properties parsed and what was already populated in
> ctrl->num_chipselect during bcm2835_spi_probe(), which for this driver
> is BCM2835_SPI_NUM_CS (3).

If you make a initial device tree (or add overlay in the rpi's 
config.txt) with more on the bus than BCM2835_SPI_NUM_CS (in my case 8
devices), you get into this trampling memory state. As the devices are
added, once the chip_select is equal to or greater than
BCM2835_SPI_NUM_CS, it's writing off the end of the arrays.

There is no protection from this happening. By the looks of it, this
isn't the only driver this could happen with, but it is the one I have
hardware for to test. There are also drivers that look like they don't
have a problem going well beyond the limit they gave.

There is protection in spi_add_device, which will catch extra added
later, but not ones in the device tree when the spi controller was
registered.

>> This patches inforces CS limit but sets that limit to the max of the
>> default limit and what is in the device tree when driver is loaded.
>>
>> Signed-off-by: Joe Burmeister <joe.burmeister@...tank.co.uk>
> You have changed many more things that just enforcing a limit on
> BCM2835_SPI_NUM_CS you have now made all chip-select related data
> structuresd dynamically allocated and you have changed a number of
> prints to use the shorthand "dev" instead of &pdev->dev.
The change to dynamic allocated arrays is just to support what is given
in the deviceĀ  tree rather than increase and enforce the CS limit just
for my case.

The shorthand is of course not required. I'll drop it on resubmitting.

Regards,

Joe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ