lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20240612031510.14414-1-git@johnthomson.fastmail.com.au>
Date: Wed, 12 Jun 2024 13:15:10 +1000
From: John Thomson <git@...nthomson.fastmail.com.au>
To: rafal@...ecki.pl,
	srinivas.kandagatla@...aro.org
Cc: linux-kernel@...r.kernel.org,
	John Thomson <git@...nthomson.fastmail.com.au>
Subject: [RFC] nvmem: u-boot-env: error if device too small

Using a DTB description of u_boot,env within an MTD partition that
starts beyond the end of the hardware results in kernel panic in
u_boot_env_parse, where the crc32 is calculated.

When mtdpart detects an out of reach partition, its size and offset
are set to zero. Add a check in u-boot-env before running the crc32,
that the data to be processed is reachable. This situation should only
ever be reached through hardware error or misconfiguration, but it is
handled gracefully at the MTD level.

Signed-off-by: John Thomson <git@...nthomson.fastmail.com.au>
---
RFC

Only tested on OpenWrt's Linux 6.6 based kernel (which has nvmem
backports from 6.8), but it's not mainline Linux kernel.
---
 drivers/nvmem/u-boot-env.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/nvmem/u-boot-env.c b/drivers/nvmem/u-boot-env.c
index befbab156cda..6e73d042467b 100644
--- a/drivers/nvmem/u-boot-env.c
+++ b/drivers/nvmem/u-boot-env.c
@@ -176,6 +176,13 @@ static int u_boot_env_parse(struct u_boot_env *priv)
 		data_offset = offsetof(struct u_boot_env_image_broadcom, data);
 		break;
 	}
+
+	if (bytes < crc32_data_offset) {
+		dev_err(dev, "Device too small for u-boot-env\n");
+		err = -EIO;
+		goto err_kfree;
+	}
+
 	crc32_addr = (__le32 *)(buf + crc32_offset);
 	crc32 = le32_to_cpu(*crc32_addr);
 	crc32_data_len = dev_size - crc32_data_offset;
-- 
2.45.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ