[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20240612031510.14414-1-git@johnthomson.fastmail.com.au>
Date: Wed, 12 Jun 2024 13:15:10 +1000
From: John Thomson <git@...nthomson.fastmail.com.au>
To: rafal@...ecki.pl,
srinivas.kandagatla@...aro.org
Cc: linux-kernel@...r.kernel.org,
John Thomson <git@...nthomson.fastmail.com.au>
Subject: [RFC] nvmem: u-boot-env: error if device too small
Using a DTB description of u_boot,env within an MTD partition that
starts beyond the end of the hardware results in kernel panic in
u_boot_env_parse, where the crc32 is calculated.
When mtdpart detects an out of reach partition, its size and offset
are set to zero. Add a check in u-boot-env before running the crc32,
that the data to be processed is reachable. This situation should only
ever be reached through hardware error or misconfiguration, but it is
handled gracefully at the MTD level.
Signed-off-by: John Thomson <git@...nthomson.fastmail.com.au>
---
RFC
Only tested on OpenWrt's Linux 6.6 based kernel (which has nvmem
backports from 6.8), but it's not mainline Linux kernel.
---
drivers/nvmem/u-boot-env.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/nvmem/u-boot-env.c b/drivers/nvmem/u-boot-env.c
index befbab156cda..6e73d042467b 100644
--- a/drivers/nvmem/u-boot-env.c
+++ b/drivers/nvmem/u-boot-env.c
@@ -176,6 +176,13 @@ static int u_boot_env_parse(struct u_boot_env *priv)
data_offset = offsetof(struct u_boot_env_image_broadcom, data);
break;
}
+
+ if (bytes < crc32_data_offset) {
+ dev_err(dev, "Device too small for u-boot-env\n");
+ err = -EIO;
+ goto err_kfree;
+ }
+
crc32_addr = (__le32 *)(buf + crc32_offset);
crc32 = le32_to_cpu(*crc32_addr);
crc32_data_len = dev_size - crc32_data_offset;
--
2.45.1
Powered by blists - more mailing lists