[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAMZdPi8UJmxULXOsvTCJNDcvYHxBsVhK9H5_eGOhMg6TkXoQfw@mail.gmail.com>
Date: Mon, 16 Oct 2023 15:48:28 +0200
From: Loic Poulain <loic.poulain@...aro.org>
To: Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
Cc: linux-kernel@...r.kernel.org
Subject: Re: [PATCH] nvmem: core: Fix possible buffer overflow on nvmem cell write
Hi Srini,
On Sat, 7 Oct 2023 at 12:22, Srinivas Kandagatla
<srinivas.kandagatla@...aro.org> wrote:
>
> Thanks Loic for the patch,
>
> On 03/10/2023 14:13, Loic Poulain wrote:
> > Nothing prevents a nvmem consumer to try writing excessive data to a
> > given nvmem cell (except when bit_offset is 0). The allocated buffer
> > of size 'cell->bytes' in nvmem_cell_prepare_write_buffer may not be
> > large enough to host the copied 'len' bytes.
> >
> Did you hit this path?
>
> __nvmem_cell_entry_write already has a check for (cell->bit_offset ==
> 0 && len != cell->bytes))
>
> What is the bit_offset in your case?
>
> Can you provide more details?
I hit the issue while playing with nvmem-reboot-mode driver,
allocating 2-bit of a persistent register at bit-offset 2 for the
reboot mode. nvmem-reboot-mode drivers call nvmem_cell_write() with a
32-bit len value, so we end in nvmem_cell_prepare_write_buffer
allocating a 1-byte (cell->bytes) buffer and copying a 4-byte len
value into it. You can find below the dts example.
```
{
&snvs_lpgpr{
#address-cells = <1>;
#size-cells = <1>;
something@0 {
/* reg[2:0] */
reg = <0x0 0x4>;
bits = <2 2>;
};
reboot_mode: reboot-mode@0 {
/* reg[4:2] */
reg = <0x0 0x4>;
bits = <2 2>;
};
};
reboot-mode {
compatible = "nvmem-reboot-mode";
nvmem-cells = <&reboot_mode>;
nvmem-cell-names = "reboot-mode";
mode-normal = <0>;
mode-fastboot = <1>;
mode-recovery = <2>;
};
};
```
Powered by blists - more mailing lists