lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAMZdPi8UJmxULXOsvTCJNDcvYHxBsVhK9H5_eGOhMg6TkXoQfw@mail.gmail.com>
Date:   Mon, 16 Oct 2023 15:48:28 +0200
From:   Loic Poulain <loic.poulain@...aro.org>
To:     Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
Cc:     linux-kernel@...r.kernel.org
Subject: Re: [PATCH] nvmem: core: Fix possible buffer overflow on nvmem cell write

Hi Srini,

On Sat, 7 Oct 2023 at 12:22, Srinivas Kandagatla
<srinivas.kandagatla@...aro.org> wrote:
>
> Thanks Loic for the patch,
>
> On 03/10/2023 14:13, Loic Poulain wrote:
> > Nothing prevents a nvmem consumer to try writing excessive data to a
> > given nvmem cell (except when bit_offset is 0). The allocated buffer
> > of size 'cell->bytes' in nvmem_cell_prepare_write_buffer may not be
> > large enough to host the copied 'len' bytes.
> >
> Did you hit this path?
>
>   __nvmem_cell_entry_write already has a check for (cell->bit_offset ==
> 0 && len != cell->bytes))
>
> What is the bit_offset in your case?
>
> Can you provide more details?

I hit the issue while playing with nvmem-reboot-mode driver,
allocating 2-bit of a persistent register at bit-offset 2 for the
reboot mode. nvmem-reboot-mode drivers call nvmem_cell_write() with a
32-bit len value, so we end in nvmem_cell_prepare_write_buffer
allocating a 1-byte (cell->bytes) buffer and copying a 4-byte len
value into it. You can find below the dts example.

```
{
     &snvs_lpgpr{
         #address-cells = <1>;
         #size-cells = <1>;

        something@0 {
             /* reg[2:0] */
             reg = <0x0 0x4>;
             bits = <2 2>;
        };

        reboot_mode: reboot-mode@0 {
            /* reg[4:2] */
            reg = <0x0 0x4>;
            bits = <2 2>;
        };
    };

    reboot-mode {
        compatible = "nvmem-reboot-mode";
        nvmem-cells = <&reboot_mode>;
        nvmem-cell-names = "reboot-mode";
        mode-normal = <0>;
        mode-fastboot = <1>;
        mode-recovery = <2>;
    };
};
```

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ