lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <10334742-2c44-0a2f-cbd7-b4ce93816300@foss.st.com>
Date:   Wed, 15 Feb 2023 09:51:05 +0100
From:   Amelie Delaunay <amelie.delaunay@...s.st.com>
To:     Arnd Bergmann <arnd@...nel.org>, Vinod Koul <vkoul@...nel.org>,
        "Maxime Coquelin" <mcoquelin.stm32@...il.com>,
        Alexandre Torgue <alexandre.torgue@...s.st.com>,
        Pierre Yves MORDRET <pierre-yves.mordret@...com>,
        M'boumba Cedric Madianga <cedric.madianga@...il.com>
CC:     Arnd Bergmann <arnd@...db.de>, <dmaengine@...r.kernel.org>,
        <linux-stm32@...md-mailman.stormreply.com>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] dmaengine: stm32-dma: avoid bitfield overflow assertion

Hi Arnd,

Thanks for pointing this issue.

On 2/14/23 11:32, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@...db.de>
> 
> stm32_dma_get_burst() returns a negative error code for invalid
> input, which gets turned into a large u32 value in stm32_dma_prep_dma_memcpy()
> that in turn triggers an assertion because it does not fit into a
> two-bit field:
> 
> drivers/dma/stm32-dma.c: In function 'stm32_dma_prep_dma_memcpy':
> include/linux/compiler_types.h:399:38: error: call to '__compiletime_assert_310' declared with attribute error: FIELD_PREP: value too large for the field
>    399 |  _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
>        |                                      ^
> include/linux/compiler_types.h:380:4: note: in definition of macro '__compiletime_assert'
>    380 |    prefix ## suffix();    \
>        |    ^~~~~~
> include/linux/compiler_types.h:399:2: note: in expansion of macro '_compiletime_assert'
>    399 |  _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__)
>        |  ^~~~~~~~~~~~~~~~~~~
> include/linux/build_bug.h:39:37: note: in expansion of macro 'compiletime_assert'
>     39 | #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
>        |                                     ^~~~~~~~~~~~~~~~~~
> include/linux/bitfield.h:68:3: note: in expansion of macro 'BUILD_BUG_ON_MSG'
>     68 |   BUILD_BUG_ON_MSG(__builtin_constant_p(_val) ?  \
>        |   ^~~~~~~~~~~~~~~~
> include/linux/bitfield.h:114:3: note: in expansion of macro '__BF_FIELD_CHECK'
>    114 |   __BF_FIELD_CHECK(_mask, 0ULL, _val, "FIELD_PREP: "); \
>        |   ^~~~~~~~~~~~~~~~
> drivers/dma/stm32-dma.c:1273:4: note: in expansion of macro 'FIELD_PREP'
>   1273 |    FIELD_PREP(STM32_DMA_SCR_PBURST_MASK, dma_burst) |
>        |    ^~~~~~~~~~
> 
> I only see this with older gcc versions like gcc-6.5 or gcc-9.5 but not
> with gcc-12.2 or higher. My best guess is that this is the result of
> changes to __builtin_constant_p(), which seems to treat the 'cold'
> codepath after an error message as a constant branch, while in newer
> gcc versions the range check is skipped after determining that
> dma_burst is never a compile-time constant.
> 
> As an easy workaround, assume the error can happen, so try to handle this
> by failing stm32_dma_prep_dma_memcpy() before the assertion.
> 
> Fixes: 1c32d6c37cc2 ("dmaengine: stm32-dma: use bitfield helpers")
> Fixes: a2b6103b7a8a ("dmaengine: stm32-dma: Improve memory burst management")
> Signed-off-by: Arnd Bergmann <arnd@...db.de>
> ---
>   drivers/dma/stm32-dma.c | 4 ++++
>   1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c
> index 37674029cb42..e3cd4b0525e6 100644
> --- a/drivers/dma/stm32-dma.c
> +++ b/drivers/dma/stm32-dma.c
> @@ -1266,6 +1266,10 @@ static struct dma_async_tx_descriptor *stm32_dma_prep_dma_memcpy(
>   		best_burst = stm32_dma_get_best_burst(len, STM32_DMA_MAX_BURST,
>   						      threshold, max_width);
>   		dma_burst = stm32_dma_get_burst(chan, best_burst);
> +		if (dma_burst > 3) {
> +			kfree(desc);
> +			return NULL;
> +		}

Instead of hard-coding this check, I suggest to copy what is done in 
stm32_dma_set_xfer_param() where stm32_dma_get_burst() is also used.
So, change dma_burst from u32 to int, and check for negative value and 
failing in this case before the assertion of FIELD_PREP.

Regards,
Amelie

>   
>   		stm32_dma_clear_reg(&desc->sg_req[i].chan_reg);
>   		desc->sg_req[i].chan_reg.dma_scr =

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ