lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Wed, 17 May 2023 08:03:23 -0700
From:   Todd Brandt <todd.e.brandt@...ux.intel.com>
To:     Tudor Ambarus <tudor.ambarus@...aro.org>,
        Todd Brandt <todd.e.brandt@...el.com>,
        miquel.raynal@...tlin.com, linux-kernel@...r.kernel.org
Cc:     pratyush@...nel.org,
        "linux-mtd@...ts.infradead.org" <linux-mtd@...ts.infradead.org>,
        Thorsten Leemhuis <regressions@...mhuis.info>
Subject: Re: [PATCH] MTD SPI-NOR: BUG FIX of divide by zero in new n_banks
 value

On Wed, 2023-05-17 at 08:10 +0100, Tudor Ambarus wrote:
> Hi, Todd,
> 
> On 5/16/23 23:51, Todd Brandt wrote:
> > While testing 6.4-rc1 on our Lenovo Thinkpad X1 I discovered
> > that freeze, suspend, and shutdown, all hang the system. I bisected
> > it to an addition made to the MTD spi-nor code.
> > 
> > The new "n_banks" value is being divided into without a proper
> > check..
> > Thus on certain systems this causes a divide by zero hang.
> > 
> > Reported-and-tested-by: Todd Brandt <todd.e.brandt@...ux.intel.com>
> > Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217448
> > Fixes: 9d6c5d64f028 ("mtd: spi-nor: Introduce the concept of bank")
> > Signed-off-by: Todd Brandt <todd.e.brandt@...el.com>
> > ---
> >  drivers/mtd/spi-nor/core.c | 5 ++++-
> >  1 file changed, 4 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-
> > nor/core.c
> > index 0bb0ad14a2fc..084117959be4 100644
> > --- a/drivers/mtd/spi-nor/core.c
> > +++ b/drivers/mtd/spi-nor/core.c
> > @@ -2921,7 +2921,10 @@ static void spi_nor_late_init_params(struct
> > spi_nor *nor)
> >  	if (nor->flags & SNOR_F_HAS_LOCK && !nor->params->locking_ops)
> >  		spi_nor_init_default_locking_ops(nor);
> >  
> > -	nor->params->bank_size = div64_u64(nor->params->size, nor-
> > >info->n_banks);
> > +	if (nor->info->n_banks > 0)
> > +		nor->params->bank_size = div64_u64(nor->params->size,
> > nor->info->n_banks);
> > +	else
> > +		nor->params->bank_size = 0;
> >  }
> >  
> >  /**
> 
> Indeed, thanks for the report and patch. You probably use the
> spi-nor-generic driver, don't you?
> 
> Can you try the following change instead?

Yes, this also seems to fix things on the Lenovo Thinkpad X1, but the
solution should be this AND the "if (nor->info->n_banks > 0)" patch. It
doesn't hurt to check even if it's a very unlikely border case. It
guarantees that the issue won't occur again even if somehow a struct
instance is created uninitialized.

You could probably just slim it down to a single if line instead of
if/else since the default bank_size is zero by default:

+   if (nor->info->n_banks > 0)
+       nor->params->bank_size = div64_u64(nor->params->size, nor-
>info->n_banks);

> 
> diff --git a/drivers/mtd/spi-nor/core.c b/drivers/mtd/spi-nor/core.c
>                       index 0bb0ad14a2fc..37f750bd7bfb 100644
> --- a/drivers/mtd/spi-nor/core.cdrivers/mtd/spi-nor/core.h
> +++ b/drivers/mtd/spi-nor/core.cdrivers/mtd/spi-nor/core.c
> @@ -2018,6 +2018,7 @@ static const struct spi_nor_manufacturer
> *manufacturers[] = {
> 
>  static const struct flash_info spi_nor_generic_flash = {
>         .name = "spi-nor-generic",
> +       .n_banks = 1,
>         /*
>          * JESD216 rev A doesn't specify the page size, therefore we
> need a
>          * sane default.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ