lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 25 Jun 2024 12:58:04 +0300
From: Aleksandr Mishin <amishin@...rgos.ru>
To: Martyn Welch <martyn.welch@...anuc.com>
CC: Aleksandr Mishin <amishin@...rgos.ru>, Greg Kroah-Hartman
	<gregkh@...uxfoundation.org>, Soumya Negi <soumya.negi97@...il.com>, Michael
 Straube <straube.linux@...il.com>, <linux-kernel@...r.kernel.org>,
	<linux-staging@...ts.linux.dev>, <lvc-project@...uxtesting.org>, Dan
 Carpenter <dan.carpenter@...aro.org>
Subject: [PATCH v2] staging: vme_user: Validate geoid value used for VME window address

The address of VME window is either set by jumpers (VME64) or derived from
the slot number (geographical addressing, VME64x) with the formula:
address = slot# * 0x80000
https://indico.cern.ch/event/68278/contributions/1234555/attachments/
1024465/1458672/VMEbus.pdf

slot# value can be set from module parameter 'geoid' which can contain any
value. In this case the value of an arithmetic expression 'slot# * 0x80000'
is a subject to overflow because its operands are not cast to a larger data
type before performing arithmetic.

Validate the provided geoid value using the Geographic Addr Mask.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: d22b8ed9a3b0 ("Staging: vme: add Tundra TSI148 VME-PCI Bridge driver")
Suggested-by: Dan Carpenter <dan.carpenter@...aro.org>
Signed-off-by: Aleksandr Mishin <amishin@...rgos.ru>
---
v1->v2: Move geoid validation to the probe() function as suggested by Dan

 drivers/staging/vme_user/vme_tsi148.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/staging/vme_user/vme_tsi148.c b/drivers/staging/vme_user/vme_tsi148.c
index 2ec9c2904404..e7fcbc3f4348 100644
--- a/drivers/staging/vme_user/vme_tsi148.c
+++ b/drivers/staging/vme_user/vme_tsi148.c
@@ -2448,12 +2448,17 @@ static int tsi148_probe(struct pci_dev *pdev, const struct pci_device_id *id)
 	data = ioread32be(tsi148_device->base + TSI148_LCSR_VSTAT);
 	dev_info(&pdev->dev, "Board is%s the VME system controller\n",
 		(data & TSI148_LCSR_VSTAT_SCONS) ? "" : " not");
-	if (!geoid)
+	if (!geoid) {
 		dev_info(&pdev->dev, "VME geographical address is %d\n",
 			data & TSI148_LCSR_VSTAT_GA_M);
-	else
+	} else if (geoid & ~TSI148_LCSR_VSTAT_GA_M) {
+		dev_err(&pdev->dev, "VME geographical address is out of range\n");
+		retval = -EINVAL;
+		goto err_crcsr;
+	} else {
 		dev_info(&pdev->dev, "VME geographical address is set to %d\n",
 			geoid);
+	}
 
 	dev_info(&pdev->dev, "VME Write and flush and error check is %s\n",
 		err_chk ? "enabled" : "disabled");
-- 
2.30.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ