lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20210630122057.2795882-1-arnd@kernel.org>
Date:   Wed, 30 Jun 2021 14:20:53 +0200
From:   Arnd Bergmann <arnd@...nel.org>
To:     Ulf Hansson <ulf.hansson@...aro.org>
Cc:     Arnd Bergmann <arnd@...db.de>,
        Jernej Skrabec <jernej.skrabec@...il.com>,
        Adrian Hunter <adrian.hunter@...el.com>,
        linux-mmc@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: [PATCH] mmc: warn for invalid SDIO data buffers

From: Arnd Bergmann <arnd@...db.de>

Jernej Skrabec reported a problem with the cw1200 driver failing on
arm64 systems with CONFIG_VMAP_STACK=y.

The driver in this case passes a pointer to a stack variable (in vmalloc
space) into the sdio layer, which gets translated into an invalid DMA
address.

Even without CONFIG_VMAP_STACK, the driver is still unreliable, as
cache invalidations on the DMA buffer may cause random data corruption
in adjacent stack slots.

This could be worked around in the SDIO core, but in the discussion we
decided that passing a stack variable into SDIO should always be considered
a bug, as it is for USB drivers.

Change the sdio core to produce a one-time warning for any on-stack
(both with and without CONFIG_VMAP_STACK) as well as any vmalloc
or module-local address that would have the same translation problem.

Cc: Jernej Skrabec <jernej.skrabec@...il.com>
Link: https://lore.kernel.org/lkml/20210622202345.795578-1-jernej.skrabec@gmail.com/
Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
 drivers/mmc/core/sdio_ops.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/mmc/core/sdio_ops.c b/drivers/mmc/core/sdio_ops.c
index 4c229dd2b6e5..14e983faf223 100644
--- a/drivers/mmc/core/sdio_ops.c
+++ b/drivers/mmc/core/sdio_ops.c
@@ -6,6 +6,7 @@
  */
 
 #include <linux/scatterlist.h>
+#include <linux/sched/task_stack.h>
 
 #include <linux/mmc/host.h>
 #include <linux/mmc/card.h>
@@ -124,6 +125,7 @@ int mmc_io_rw_extended(struct mmc_card *card, int write, unsigned fn,
 	int err;
 
 	WARN_ON(blksz == 0);
+	WARN_ON_ONCE(is_vmalloc_or_module_addr(buf) || object_is_on_stack(buf));
 
 	/* sanity check */
 	if (addr & ~0x1FFFF)
-- 
2.29.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ