| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210429053802.17650-3-amit.kumar-mahapatra@xilinx.com>
Date: Wed, 28 Apr 2021 23:38:02 -0600
From: Amit Kumar Mahapatra <amit.kumar-mahapatra@...inx.com>
To: <broonie@...nel.org>
CC: <linux-spi@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
<git@...inx.com>,
Karen Dombroski <karen.dombroski@...sbioimaging.com>,
"Amit Kumar Mahapatra" <amit.kumar-mahapatra@...inx.com>
Subject: [RESEND 2/2] spi: spi-zynq-qspi: Fix stack violation bug
From: Karen Dombroski <karen.dombroski@...sbioimaging.com>
When the number of bytes for the op is greater than one, the read could
run off the end of the function stack and cause a crash.
This patch restores the behaviour of safely reading out of the original
opcode location.
Signed-off-by: Karen Dombroski <karen.dombroski@...sbioimaging.com>
Signed-off-by: Amit Kumar Mahapatra <amit.kumar-mahapatra@...inx.com>
---
drivers/spi/spi-zynq-qspi.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index 1acde9e24973..5a3d81c31d04 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -528,18 +528,17 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
struct zynq_qspi *xqspi = spi_controller_get_devdata(mem->spi->master);
int err = 0, i;
u8 *tmpbuf;
- u8 opcode = op->cmd.opcode;
dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n",
- opcode, op->cmd.buswidth, op->addr.buswidth,
+ op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth,
op->dummy.buswidth, op->data.buswidth);
zynq_qspi_chipselect(mem->spi, true);
zynq_qspi_config_op(xqspi, mem->spi);
- if (op->cmd.nbytes) {
+ if (op->cmd.opcode) {
reinit_completion(&xqspi->data_completion);
- xqspi->txbuf = &opcode;
+ xqspi->txbuf = (u8 *)&op->cmd.opcode;
xqspi->rxbuf = NULL;
xqspi->tx_bytes = op->cmd.nbytes;
xqspi->rx_bytes = op->cmd.nbytes;
--
2.17.1
Powered by blists - more mailing lists