lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAPDyKFqzR4VJUHW5EHf7-vzZ=TNPDAngFYQfksduqgcx1qEAkg@mail.gmail.com>
Date: Thu, 11 Jul 2024 18:03:36 +0200
From: Ulf Hansson <ulf.hansson@...aro.org>
To: Bastien Curutchet <bastien.curutchet@...tlin.com>
Cc: Linus Walleij <linus.walleij@...aro.org>, linux-mmc@...r.kernel.org, 
	linux-kernel@...r.kernel.org, Thomas Petazzoni <thomas.petazzoni@...tlin.com>, 
	Herve Codina <herve.codina@...tlin.com>, 
	Christopher Cordahi <christophercordahi@...ometrics.ca>, stable@...r.kernel.org
Subject: Re: [PATCH 1/2] mmc: davinci_mmc: Prevent transmitted data size from
 exceeding sgm's length

On Thu, 11 Jul 2024 at 10:18, Bastien Curutchet
<bastien.curutchet@...tlin.com> wrote:
>
> No check is done on the size of the data to be transmiited. This causes
> a kernel panic when this size exceeds the sg_miter's length.
>
> Limit the number of transmitted bytes to sgm->length.
>
> Cc: stable@...r.kernel.org
> Fixes: ed01d210fd91 ("mmc: davinci_mmc: Use sg_miter for PIO")
> Signed-off-by: Bastien Curutchet <bastien.curutchet@...tlin.com>

Applied for fixes, thanks!

Kind regards
Uffe


> ---
>  drivers/mmc/host/davinci_mmc.c | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/drivers/mmc/host/davinci_mmc.c b/drivers/mmc/host/davinci_mmc.c
> index d7427894e0bc..c302eb380e42 100644
> --- a/drivers/mmc/host/davinci_mmc.c
> +++ b/drivers/mmc/host/davinci_mmc.c
> @@ -224,6 +224,9 @@ static void davinci_fifo_data_trans(struct mmc_davinci_host *host,
>         }
>         p = sgm->addr;
>
> +       if (n > sgm->length)
> +               n = sgm->length;
> +
>         /* NOTE:  we never transfer more than rw_threshold bytes
>          * to/from the fifo here; there's no I/O overlap.
>          * This also assumes that access width( i.e. ACCWD) is 4 bytes
> --
> 2.45.0
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ