lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <o4vds7grtpvgn34afke5vbkb5ymqqglvudi2hdb4oekz52ujs6@ymuhslhr5oh7>
Date: Thu, 5 Sep 2024 23:23:56 +0200
From: Andi Shyti <andi.shyti@...nel.org>
To: Tyrone Ting <warp5tw@...il.com>
Cc: avifishman70@...il.com, tmaimon77@...il.com, tali.perry1@...il.com, 
	venture@...gle.com, yuenn@...gle.com, benjaminfair@...gle.com, 
	andriy.shevchenko@...ux.intel.com, wsa@...nel.org, rand.sec96@...il.com, 
	wsa+renesas@...g-engineering.com, tali.perry@...oton.com, Avi.Fishman@...oton.com, 
	tomer.maimon@...oton.com, KWLIU@...oton.com, JJLIU0@...oton.com, kfting@...oton.com, 
	openbmc@...ts.ozlabs.org, linux-i2c@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 1/7] i2c: npcm: restore slave addresses array length

Hi Tyrone,

On Fri, Aug 30, 2024 at 11:46:34AM GMT, Tyrone Ting wrote:
> The smatch check warning is "buffer overflow 'npcm_i2caddr' 2 <= 9".
> The original design supports 10 slave addresses although only 2

please remember that the "slave" term has been replaced by the
"target" term. I will change it when applying the patch.

> addresses are required for current implementation.
> 
> Restore the npcm_i2caddr array length to fix the smatch warning.
> 
> Fixes: 47d506d1a28f ("i2c: npcm: Remove own slave addresses 2:10")

I don't think the Fixes tag is necessary here. This change is
primarily addressing a static analyzer warning. While some cases
come close to a buffer overflow, it couldn’t have occurred in
practice since we don't actually have the devices listed in
npcm_i2caddr[].

> Reported-by: Dan Carpenter <dan.carpenter@...aro.org>
> Closes: https://lore.kernel.org/r/202408130818.FgDP5uNm-lkp@intel.com/
> Signed-off-by: Tyrone Ting <kfting@...oton.com>
> ---
>  drivers/i2c/busses/i2c-npcm7xx.c | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/i2c/busses/i2c-npcm7xx.c b/drivers/i2c/busses/i2c-npcm7xx.c
> index 2fe68615942e..bbcb4d6668ce 100644
> --- a/drivers/i2c/busses/i2c-npcm7xx.c
> +++ b/drivers/i2c/busses/i2c-npcm7xx.c
> @@ -136,11 +136,13 @@ enum i2c_addr {
>   * Since the addr regs are sprinkled all over the address space,
>   * use this array to get the address or each register.
>   */
> -#define I2C_NUM_OWN_ADDR 2
> +#define I2C_NUM_OWN_ADDR 10
>  #define I2C_NUM_OWN_ADDR_SUPPORTED 2
>  
>  static const int npcm_i2caddr[I2C_NUM_OWN_ADDR] = {
> -	NPCM_I2CADDR1, NPCM_I2CADDR2,
> +	NPCM_I2CADDR1, NPCM_I2CADDR2, NPCM_I2CADDR3, NPCM_I2CADDR4,
> +	NPCM_I2CADDR5, NPCM_I2CADDR6, NPCM_I2CADDR7, NPCM_I2CADDR8,
> +	NPCM_I2CADDR9, NPCM_I2CADDR10,

Looks a bit hacky, but serves the purpose.

The core issue in "npcm_i2c_slave_enable()" is the lack of an
upper boundary check, which could potentially lead to a buffer
overflow. In practice, we rely on the assumption that these
addresses don’t exist in the real world.

An easier fix could have been:

@@ -629,7 +629,7 @@ static int npcm_i2c_slave_enable(struct npcm_i2c *bus, enum i2c_addr addr_type,
        if (addr_type > I2C_SLAVE_ADDR2 && addr_type <= I2C_SLAVE_ADDR10)
                dev_err(bus->dev, "try to enable more than 2 SA not supported\n");

-       if (addr_type >= I2C_ARP_ADDR)
+       if (addr_type > I2C_SLAVE_ADDR2)
                return -EFAULT;

        /* Set and enable the address */

But yours is a bit more robust, so that I'm going to take this
patch.

Reviewed-by: Andi Shyti <andi.shyti@...nel.org>

Thanks,
Andi

>  };
>  #endif
>  
> -- 
> 2.34.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ