| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 May 2023 08:03:23 -0700
From: Todd Brandt <todd.e.brandt@...ux.intel.com>
To: Tudor Ambarus <tudor.ambarus@...aro.org>,
Todd Brandt <todd.e.brandt@...el.com>,
miquel.raynal@...tlin.com, linux-kernel@...r.kernel.org
Cc: pratyush@...nel.org,
"linux-mtd@...ts.infradead.org" <linux-mtd@...ts.infradead.org>,
Thorsten Leemhuis <regressions@...mhuis.info>
Subject: Re: [PATCH] MTD SPI-NOR: BUG FIX of divide by zero in new n_banks
value
On Wed, 2023-05-17 at 08:10 +0100, Tudor Ambarus wrote:
> Hi, Todd,
>
> On 5/16/23 23:51, Todd Brandt wrote:
> > While testing 6.4-rc1 on our Lenovo Thinkpad X1 I discovered
> > that freeze, suspend, and shutdown, all hang the system. I bisected
> > it to an addition made to the MTD spi-nor code.
> >
> > The new "n_banks" value is being divided into without a proper
> > check..
> > Thus on certain systems this causes a divide by zero hang.
> >
> > Reported-and-tested-by: Todd Brandt <todd.e.brandt@...ux.intel.com>
> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217448
> > Fixes: 9d6c5d64f028 ("mtd: spi-nor: Introduce the concept of bank")
> > Signed-off-by: Todd Brandt <todd.e.brandt@...el.com>
> > ---
> > drivers/mtd/spi-nor/core.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-
> > nor/core.c
> > index 0bb0ad14a2fc..084117959be4 100644
> > --- a/drivers/mtd/spi-nor/core.c
> > +++ b/drivers/mtd/spi-nor/core.c
> > @@ -2921,7 +2921,10 @@ static void spi_nor_late_init_params(struct
> > spi_nor *nor)
> > if (nor->flags & SNOR_F_HAS_LOCK && !nor->params->locking_ops)
> > spi_nor_init_default_locking_ops(nor);
> >
> > - nor->params->bank_size = div64_u64(nor->params->size, nor-
> > >info->n_banks);
> > + if (nor->info->n_banks > 0)
> > + nor->params->bank_size = div64_u64(nor->params->size,
> > nor->info->n_banks);
> > + else
> > + nor->params->bank_size = 0;
> > }
> >
> > /**
>
> Indeed, thanks for the report and patch. You probably use the
> spi-nor-generic driver, don't you?
>
> Can you try the following change instead?
Yes, this also seems to fix things on the Lenovo Thinkpad X1, but the
solution should be this AND the "if (nor->info->n_banks > 0)" patch. It
doesn't hurt to check even if it's a very unlikely border case. It
guarantees that the issue won't occur again even if somehow a struct
instance is created uninitialized.
You could probably just slim it down to a single if line instead of
if/else since the default bank_size is zero by default:
+ if (nor->info->n_banks > 0)
+ nor->params->bank_size = div64_u64(nor->params->size, nor-
>info->n_banks);
>
> diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
> index 0bb0ad14a2fc..37f750bd7bfb 100644
> --- a/drivers/mtd/spi-nor/core.cdrivers/mtd/spi-nor/core.h
> +++ b/drivers/mtd/spi-nor/core.cdrivers/mtd/spi-nor/core.c
> @@ -2018,6 +2018,7 @@ static const struct spi_nor_manufacturer
> *manufacturers[] = {
>
> static const struct flash_info spi_nor_generic_flash = {
> .name = "spi-nor-generic",
> + .n_banks = 1,
> /*
> * JESD216 rev A doesn't specify the page size, therefore we
> need a
> * sane default.
Powered by blists - more mailing lists