lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230523212241.av5tts233p5hlodm@synopsys.com>
Date:   Tue, 23 May 2023 21:22:43 +0000
From:   Thinh Nguyen <Thinh.Nguyen@...opsys.com>
To:     Krishna Kurapati PSSNV <quic_kriskura@...cinc.com>
CC:     Thinh Nguyen <Thinh.Nguyen@...opsys.com>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        "linux-usb@...r.kernel.org" <linux-usb@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "quic_ppratap@...cinc.com" <quic_ppratap@...cinc.com>,
        "quic_wcheng@...cinc.com" <quic_wcheng@...cinc.com>,
        "quic_jackp@...cinc.com" <quic_jackp@...cinc.com>,
        "quic_ugoswami@...cinc.com" <quic_ugoswami@...cinc.com>
Subject: Re: [RFC] usb: dwc3: gadget: Fix amount of data copied from event buf
 to cache

On Tue, May 23, 2023, Krishna Kurapati PSSNV wrote:
> 
> 
> On 5/23/2023 2:47 AM, Thinh Nguyen wrote:
> > On Sun, May 21, 2023, Krishna Kurapati wrote:
> > > In the current implementation, the check_event_buf call reads the
> > > GEVNTCOUNT register to determine the amount of event data generated
> > > and copies it from ev->buf to ev->cache after masking interrupt.
> > > 
> > > During copy if the amount of data to be copied is more than
> > > (length - lpos), we fill the ev->cache till the end of 4096 byte
> > > buffer allocated and then start filling from the top (lpos = 0).
> > > 
> > > In one instance of SMMU crash it is observed that GEVNTCOUNT register
> > > reads more than 4096 bytes:
> > > 
> > > dwc3_readl   base=0xffffffc0091dc000  offset=50188  value=63488
> > > 
> > > (offset = 50188 -> 0xC40C)  -> reads 63488 bytes
> > > 
> > > As per crash dump:
> > > dwc->lpos = 2056
> > > 
> > > and evt->buf is at 0xFFFFFFC009185000 and the crash is at
> > > 0xFFFFFFC009186000. The diff which is exactly 0x1000 bytes.
> > > 
> > > We first memcpy 2040 bytes from (buf + lpos) to (buf + 0x1000).
> > > 
> > > And then we copy the rest of the data (64388 - 2040) from beginning
> > > of dwc->ev_buf. While doing so we go beyond bounds as we are trying
> > > to memcpy 62348 bytes into a 4K buffer resulting in crash.
> > > 
> > > Fix this by limiting the total data being copied to ev->length to
> > > avoid copying data beyond bounds. Moreover this is logical because if
> > > the controller generated events more than the size of ring buffer,
> > > some of them might have been overwritten by the controller.
> > > 
> > > Signed-off-by: Krishna Kurapati <quic_kriskura@...cinc.com>
> > > ---
> > > Only one instance of this crash was observed so far. As per the
> > > databook:
> > > 
> > > "The controller always leaves one entry free in each Event Buffer.
> > > When the Event Buffer is almost full, hardware writes the Event
> > > Buffer Overflow event and the USB eventually gets stalled when
> > > endpoints start responding NRDY or the link layer stops returning
> > > credits (in SuperSpeed). This event is an indication to software that
> > > it is not processing events quickly enough. During this time, events
> > > are queued up internally. When software frees up Event Buffer space,
> > > the queued up events are written out and the USB returns to normal
> > > operation"
> > > 
> > > I didn't see any overflow event in the event buffer after parsing
> > > crash dump. Although this could be some HW issue, I thought we can
> > > include this fix in software as well to avoid such scenario.
> > > 
> > 
> > What's the GEVNTSIZ at the point of the crash? That's where the driver
> > tells the controller how much it allocated for the event buffer.
> > 
> > Check to make sure that it wasn't reset during operation (not cleanup).
> 
> 
> Hi Thinh,
> 
>  The last 3 RW traces were as follows:
> 
> <idle>-0    [001]   5834.471640:  dwc3_writel   base=0xffffffc0091dc000 
> offset=50184  value=4096
> <idle>-0    [001]   5834.471799:  dwc3_readl   base=0xffffffc0091dc000 
> offset=50188  value=63488
> <idle>-0    [001]   5834.471803:  dwc3_writel   base=0xffffffc0091dc000 
> offset=50184  value=2147487744
> 
> The first one was at the end of previous process_event_entry call where we
> unmasked the interrupt.
> 
> The second one was the read of GEVTCOUNT.
> 
> The third one was where we wrote 31st bit of the GEVTSIZ register to mask
> interrupt along with 4096 bytes to [15:0] bits.
> 
> There is only 100-150us gap between each of these read writes and if you are
> referring to whether the GEVTSIZ got modified in between, I am not sure of
> that.
> 

The read from GEVNTCOUNT looks corrupted. When was the last time (delta
time) an event was handled prior to the failure? If it's a short delta,
it further indicates that whatever the value returned is invalid.

So, setting count = evt->length if count > evt->length is no good. The
event count is probably much lower and you may end up reading stale
events.

It's odd that we are only able to see this issue now. For this type of
failure, it should've been exposed much early on. Is there potentially
something different for your setup/configuration that may cause this
issue. Also, how easily are you able to reproduce this. Did you try to
re-read the GEVNTCOUNT multiple times when this happens to see if the
value changes dramatically?

Thanks,
Thinh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ