lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7903580d-685c-14e6-5572-81a4cb31cced@amlogic.com>
Date:   Thu, 8 Jun 2023 14:42:53 +0800
From:   Liang Yang <liang.yang@...ogic.com>
To:     Arseniy Krasnov <avkrasnov@...rdevices.ru>,
        Miquel Raynal <miquel.raynal@...tlin.com>,
        Richard Weinberger <richard@....at>,
        Vignesh Raghavendra <vigneshr@...com>,
        Neil Armstrong <neil.armstrong@...aro.org>,
        Kevin Hilman <khilman@...libre.com>,
        Jerome Brunet <jbrunet@...libre.com>,
        Martin Blumenstingl <martin.blumenstingl@...glemail.com>
Cc:     oxffffaa@...il.com, kernel@...rdevices.ru,
        linux-mtd@...ts.infradead.org,
        linux-arm-kernel@...ts.infradead.org,
        linux-amlogic@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] mtd: rawnand: meson: check buffer length

Hi Arseniy,

On 2023/6/8 5:17, Arseniy Krasnov wrote:
> [ EXTERNAL EMAIL ]
> 
> Hi again Miquel, Liang!
> 
> What do You think about this patch?
> 
> Thanks, Arseniy
> 
> On 06.06.2023 19:29, Arseniy Krasnov wrote:
>> Sorry, here is changelog:
>> v1 -> v2:
>> * Move checks from 'switch/case' which executes commands in 'meson_nfc_exec_op()' to a special
>>    separated function 'meson_nfc_check_op()' which is called before commands processing.
>>
>> On 06.06.2023 13:16, Arseniy Krasnov wrote:
>>> Meson NAND controller has limited buffer length, so check it before
>>> command execution to avoid length trim. Also check MTD write size on
>>> chip attach.
>>>
>>> Signed-off-by: Arseniy Krasnov <AVKrasnov@...rdevices.ru>
>>> ---
>>>   drivers/mtd/nand/raw/meson_nand.c | 47 +++++++++++++++++++++++++++----
>>>   1 file changed, 42 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/drivers/mtd/nand/raw/meson_nand.c b/drivers/mtd/nand/raw/meson_nand.c
>>> index 23a73268421b..db6b18753071 100644
>>> --- a/drivers/mtd/nand/raw/meson_nand.c
>>> +++ b/drivers/mtd/nand/raw/meson_nand.c
>>> @@ -111,6 +111,8 @@
>>>
>>>   #define PER_INFO_BYTE               8
>>>
>>> +#define NFC_CMD_RAW_LEN     GENMASK(13, 0)
>>> +
>>>   struct meson_nfc_nand_chip {
>>>       struct list_head node;
>>>       struct nand_chip nand;
>>> @@ -284,7 +286,7 @@ static void meson_nfc_cmd_access(struct nand_chip *nand, int raw, bool dir,
>>>
>>>       if (raw) {
>>>               len = mtd->writesize + mtd->oobsize;
>>> -            cmd = (len & GENMASK(13, 0)) | scrambler | DMA_DIR(dir);
>>> +            cmd = len | scrambler | DMA_DIR(dir);
>>>               writel(cmd, nfc->reg_base + NFC_REG_CMD);

I think we could keep "& GENMASK(13, 0)". it is better here to indicate 
how many bits of length in this command and don't destory the command 
once we don't check the "len" outside of this function. or the code "if 
(len >  NFC_CMD_RAW_LEN)" is better to put inside this function nearly. 
Thanks.

>>>               return;
>>>       }
>>> @@ -573,7 +575,7 @@ static int meson_nfc_read_buf(struct nand_chip *nand, u8 *buf, int len)
>>>       if (ret)
>>>               goto out;
>>>
>>> -    cmd = NFC_CMD_N2M | (len & GENMASK(13, 0));
>>> +    cmd = NFC_CMD_N2M | len;
>>>       writel(cmd, nfc->reg_base + NFC_REG_CMD);
>>>
>>>       meson_nfc_drain_cmd(nfc);
>>> @@ -597,7 +599,7 @@ static int meson_nfc_write_buf(struct nand_chip *nand, u8 *buf, int len)
>>>       if (ret)
>>>               return ret;
>>>
>>> -    cmd = NFC_CMD_M2N | (len & GENMASK(13, 0));
>>> +    cmd = NFC_CMD_M2N | len;
>>>       writel(cmd, nfc->reg_base + NFC_REG_CMD);
>>>
>>>       meson_nfc_drain_cmd(nfc);
>>> @@ -1007,6 +1009,31 @@ meson_nand_op_put_dma_safe_output_buf(const struct nand_op_instr *instr,
>>>               kfree(buf);
>>>   }
>>>
>>> +static int meson_nfc_check_op(struct nand_chip *chip,
>>> +                          const struct nand_operation *op)
>>> +{
>>> +    int op_id;
>>> +
>>> +    for (op_id = 0; op_id < op->ninstrs; op_id++) {
>>> +            const struct nand_op_instr *instr;
>>> +
>>> +            instr = &op->instrs[op_id];
>>> +
>>> +            switch (instr->type) {
>>> +            case NAND_OP_DATA_IN_INSTR:
>>> +            case NAND_OP_DATA_OUT_INSTR:
>>> +                    if (instr->ctx.data.len > NFC_CMD_RAW_LEN)
>>> +                            return -ENOTSUPP;
>>> +
>>> +                    break;
>>> +            default:
>>> +                    break;
>>> +            }
>>> +    }
>>> +
>>> +    return 0;
>>> +}
>>> +
>>>   static int meson_nfc_exec_op(struct nand_chip *nand,
>>>                            const struct nand_operation *op, bool check_only)
>>>   {
>>> @@ -1015,10 +1042,12 @@ static int meson_nfc_exec_op(struct nand_chip *nand,
>>>       const struct nand_op_instr *instr = NULL;
>>>       void *buf;
>>>       u32 op_id, delay_idle, cmd;
>>> +    int err;
>>>       int i;
>>>
>>> -    if (check_only)
>>> -            return 0;
>>> +    err = meson_nfc_check_op(nand, op);
>>> +    if (err || check_only)
>>> +            return err;
>>>
>>>       meson_nfc_select_chip(nand, op->cs);
>>>       for (op_id = 0; op_id < op->ninstrs; op_id++) {
>>> @@ -1293,6 +1322,7 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>>>       struct meson_nfc_nand_chip *meson_chip = to_meson_nand(nand);
>>>       struct mtd_info *mtd = nand_to_mtd(nand);
>>>       int nsectors = mtd->writesize / 1024;
>>> +    int raw_writesize;
>>>       int ret;
>>>
>>>       if (!mtd->name) {
>>> @@ -1304,6 +1334,13 @@ static int meson_nand_attach_chip(struct nand_chip *nand)
>>>                       return -ENOMEM;
>>>       }
>>>
>>> +    raw_writesize = mtd->writesize + mtd->oobsize;
>>> +    if (raw_writesize > NFC_CMD_RAW_LEN) {
>>> +            dev_err(nfc->dev, "too big write size in raw mode: %d > %ld\n",
>>> +                    raw_writesize, NFC_CMD_RAW_LEN);
>>> +            return -EINVAL;
>>> +    }
>>> +
>>>       if (nand->bbt_options & NAND_BBT_USE_FLASH)
>>>               nand->bbt_options |= NAND_BBT_NO_OOB;
>>>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ