| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <d27e359c-1ea3-4d08-b124-e794fd372b28@app.fastmail.com>
Date: Thu, 11 May 2023 15:40:28 +0200
From: "Arnd Bergmann" <arnd@...db.de>
To: "Artur Rojek" <contact@...ur-rojek.eu>,
"Geert Uytterhoeven" <geert@...ux-m68k.org>
Cc: "Thomas Zimmermann" <tzimmermann@...e.de>,
"kernel test robot" <lkp@...el.com>,
"Helge Deller" <deller@....de>,
"Javier Martinez Canillas" <javierm@...hat.com>,
"Daniel Vetter" <daniel@...ll.ch>,
"Vineet Gupta" <vgupta@...nel.org>,
"Huacai Chen" <chenhuacai@...nel.org>,
"WANG Xuerui" <kernel@...0n.name>,
"David S . Miller" <davem@...emloft.net>,
"James E . J . Bottomley" <James.Bottomley@...senpartnership.com>,
"Sam Ravnborg" <sam@...nborg.org>, suijingfeng@...ngson.cn,
oe-kbuild-all@...ts.linux.dev,
Linux-Arch <linux-arch@...r.kernel.org>,
linux-fbdev@...r.kernel.org, linux-ia64@...r.kernel.org,
linux-parisc@...r.kernel.org, linux-kernel@...r.kernel.org,
dri-devel@...ts.freedesktop.org, linux-m68k@...ts.linux-m68k.org,
loongarch@...ts.linux.dev, sparclinux@...r.kernel.org,
linux-snps-arc@...ts.infradead.org,
linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH v6 5/6] fbdev: Move framebuffer I/O helpers into <asm/fb.h>
On Thu, May 11, 2023, at 15:22, Artur Rojek wrote:
> On 2023-05-11 14:35, Geert Uytterhoeven wrote:
>>
>> CC Artur, who's working on HP Jornada 680.
> Thanks for CC'ing me - I faced this exact issue while working on my
> (still not upstreamed) hd6446x PCMCIA controller driver. The PCMCIA
> subsystem uses `inb/outb`, which expect the `sh_io_port_base` to be set
> to something else than the default `-1`. At first I tried to set it to
> `0xa0000000`, so that all I/O goes through the fixed, non-cacheable P2
> area. That however broke some other driver code (I had no time to debug
> which one). Eventually I ended up taking a suggestion from a MIPS PCMCIA
> driver [1] and simply substract the broken `sh_io_port_base` address
> from `HD64461_IOBASE`, as the base for `socket.io_offset`. This way all
> the PCMCIA `inb/outb` accesses are absolute, no matter what the
> `sh_io_port_base` is set to. This of course is a very ugly solution and
> we should instead fix the root cause of this mess. I will have a better
> look at this patch set and the problem at hand at a later date.
>
> Cheers,
> Artur
>
> [1]
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/pcmcia/db1xxx_ss.c?h=v6.4-rc1#n527
I think the best fix would be to change all those drivers away
from using inb/outb to readb/writeb, except when they access the
actual PCMCIA I/O space behind the bridge.
On most of the modern architectures, inb(addr) now turns into
approximately readb(PCI_IOBASE + addr), with a bit of extra
logic to deal with endianess and barrier semantics.
PCI_IOBASE in turn tends to be a hardcoded virtual address
to which the physical I/O space window gets mapped during
early boot, though you can also #define it to sh_io_port_base
if you want to allocate the virtual address dynamically and
leave the existing logic unchanged.
Setting sh_io_port_base to zero however is a problem for any
driver that passes a small port number into it -- this then
turns into a user space pointer dereference, which is trivially
exploitable.
Arnd
Powered by blists - more mailing lists