lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210518185503.162787-1-jonathanh@nvidia.com>
Date:   Tue, 18 May 2021 19:55:03 +0100
From:   Jon Hunter <jonathanh@...dia.com>
To:     Miquel Raynal <miquel.raynal@...tlin.com>,
        Richard Weinberger <richard@....at>,
        Vignesh Raghavendra <vigneshr@...com>,
        Michael Walle <michael@...le.cc>
CC:     <linux-mtd@...ts.infradead.org>, <linux-kernel@...r.kernel.org>,
        <linux-tegra@...r.kernel.org>, Jon Hunter <jonathanh@...dia.com>
Subject: [PATCH] mtd: core: Fix freeing of otp_info buffer

Commit 4b361cfa8624 ("mtd: core: add OTP nvmem provider support") is
causing the following panic ...

 ------------[ cut here ]------------
 kernel BUG at /local/workdir/tegra/linux_next/kernel/mm/slab.c:2730!
 Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
 Modules linked in:
 CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.13.0-rc2-next-20210518 #1
 Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
 PC is at ___cache_free+0x3f8/0x51c
 ...
 [<c029bb1c>] (___cache_free) from [<c029c658>] (kfree+0xac/0x1bc)
 [<c029c658>] (kfree) from [<c06da094>] (mtd_otp_size+0xc4/0x108)
 [<c06da094>] (mtd_otp_size) from [<c06dc864>] (mtd_device_parse_register+0xe4/0x2b4)
 [<c06dc864>] (mtd_device_parse_register) from [<c06e3ccc>] (spi_nor_probe+0x210/0x2c0)
 [<c06e3ccc>] (spi_nor_probe) from [<c06e9578>] (spi_probe+0x88/0xac)
 [<c06e9578>] (spi_probe) from [<c066891c>] (really_probe+0x214/0x3a4)
 [<c066891c>] (really_probe) from [<c0668b14>] (driver_probe_device+0x68/0xc0)
 [<c0668b14>] (driver_probe_device) from [<c0666cf8>] (bus_for_each_drv+0x5c/0xbc)
 [<c0666cf8>] (bus_for_each_drv) from [<c0668694>] (__device_attach+0xe4/0x150)
 [<c0668694>] (__device_attach) from [<c06679e0>] (bus_probe_device+0x84/0x8c)
 [<c06679e0>] (bus_probe_device) from [<c06657f8>] (device_add+0x48c/0x868)
 [<c06657f8>] (device_add) from [<c06eb784>] (spi_add_device+0xa0/0x168)
 [<c06eb784>] (spi_add_device) from [<c06ec9a8>] (spi_register_controller+0x8b8/0xb38)
 [<c06ec9a8>] (spi_register_controller) from [<c06ecc3c>] (devm_spi_register_controller+0x14/0x50)
 [<c06ecc3c>] (devm_spi_register_controller) from [<c06f0510>] (tegra_spi_probe+0x33c/0x450)
 [<c06f0510>] (tegra_spi_probe) from [<c066abec>] (platform_probe+0x5c/0xb8)
 [<c066abec>] (platform_probe) from [<c066891c>] (really_probe+0x214/0x3a4)
 [<c066891c>] (really_probe) from [<c0668b14>] (driver_probe_device+0x68/0xc0)
 [<c0668b14>] (driver_probe_device) from [<c0668e30>] (device_driver_attach+0x58/0x60)
 [<c0668e30>] (device_driver_attach) from [<c0668eb8>] (__driver_attach+0x80/0xc8)
 [<c0668eb8>] (__driver_attach) from [<c0666c48>] (bus_for_each_dev+0x78/0xb8)
 [<c0666c48>] (bus_for_each_dev) from [<c0667c44>] (bus_add_driver+0x164/0x1e8)
 [<c0667c44>] (bus_add_driver) from [<c066997c>] (driver_register+0x7c/0x114)
 [<c066997c>] (driver_register) from [<c010223c>] (do_one_initcall+0x50/0x2b0)
 [<c010223c>] (do_one_initcall) from [<c11011f0>] (kernel_init_freeable+0x1a8/0x1fc)
 [<c11011f0>] (kernel_init_freeable) from [<c0c09190>] (kernel_init+0x8/0x118)
 [<c0c09190>] (kernel_init) from [<c01001b0>] (ret_from_fork+0x14/0x24)
 ...
 ---[ end trace 0f652dd222de75d7 ]---

In the function mtd_otp_size() a buffer is allocated by calling
kmalloc() and a pointer to the buffer is stored in a variable 'info'.
The pointer 'info' may then be incremented depending on the length
returned from mtd_get_user/fact_prot_info(). If 'info' is incremented,
when kfree() is called to free the buffer the above panic occurs because
we are no longer passing the original address of the buffer allocated.
Fix this by indexing through the buffer allocated to avoid incrementing
the pointer.

Fixes: 4b361cfa8624 ("mtd: core: add OTP nvmem provider support")
Signed-off-by: Jon Hunter <jonathanh@...dia.com>
---
 drivers/mtd/mtdcore.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c
index 3ae261661eea..ffa46ccea0cf 100644
--- a/drivers/mtd/mtdcore.c
+++ b/drivers/mtd/mtdcore.c
@@ -792,10 +792,8 @@ static ssize_t mtd_otp_size(struct mtd_info *mtd, bool is_user)
 	if (ret)
 		goto err;
 
-	for (i = 0; i < retlen / sizeof(*info); i++) {
-		size += info->length;
-		info++;
-	}
+	for (i = 0; i < retlen / sizeof(*info); i++)
+		size += info[i].length;
 
 	kfree(info);
 	return size;
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ