| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241021120403.5764abbf@xps-13>
Date: Mon, 21 Oct 2024 12:04:03 +0200
From: Miquel Raynal <miquel.raynal@...tlin.com>
To: Frank Li <Frank.Li@....com>
Cc: Alexandre Belloni <alexandre.belloni@...tlin.com>,
linux-i3c@...ts.infradead.org, linux-kernel@...r.kernel.org, arnd@...db.de,
bbrezillon@...nel.org, boris.brezillon@...labora.com,
conor.culhane@...vaco.com, gregkh@...uxfoundation.org, imx@...ts.linux.dev,
pthombar@...ence.com, ravindra.yashvant.shinde@....com, stable@...nel.org
Subject: Re: [PATCH v7 3/3] i3c: master: Fix dynamic address leak when
'assigned-address' is present
Hi Frank,
Frank.Li@....com wrote on Tue, 08 Oct 2024 11:18:26 -0400:
> If the DTS contains 'assigned-address', a dynamic address leak occurs
> during hotjoin events.
>
> Assume a device have assigned-address 0xb.
> - Device issue Hotjoin
> - Call i3c_master_do_daa()
> - Call driver xxx_do_daa()
> - Call i3c_master_get_free_addr() to get dynamic address 0x9
> - i3c_master_add_i3c_dev_locked(0x9)
> - expected_dyn_addr = newdev->boardinfo->init_dyn_addr (0xb);
> - i3c_master_reattach_i3c_dev(newdev(0xb), old_dyn_addr(0x9));
> - if (dev->info.dyn_addr != old_dyn_addr &&
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 0xb != 0x9 -> TRUE
> (!dev->boardinfo ||
> ^^^^^^^^^^^^^^^ -> FALSE
> dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 0xb != 0xb -> FALSE
> ...
> i3c_bus_set_addr_slot_status(&master->bus, old_dyn_addr,
> I3C_ADDR_SLOT_FREE);
> ^^^
> This will be skipped. So old_dyn_addr never free
> }
>
> - i3c_master_get_free_addr() will return increased sequence number.
>
> Remove dev->info.dyn_addr != dev->boardinfo->init_dyn_addr condition check.
> dev->info.dyn_addr should be checked before calling this function because
> i3c_master_setnewda_locked() has already been called and the target device
> has already accepted dyn_addr. It is too late to check if dyn_addr is free
> in i3c_master_reattach_i3c_dev().
>
> Add check to ensure expected_dyn_addr is free before
> i3c_master_setnewda_locked().
>
> Fixes: cc3a392d69b6 ("i3c: master: fix for SETDASA and DAA process")
> Cc: stable@...nel.org
> Signed-off-by: Frank Li <Frank.Li@....com>
> ---
> Chagne v6 to v7
> - none
>
> Chagne v5 to v6
> - fixed version number to v5
> - fix merge conflict because change function name and macro name.
>
> Change v3 to v4
> - none
> ---
> drivers/i3c/master.c | 15 +++++----------
> 1 file changed, 5 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index e0962a17de7f0..9ccfabf849c42 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
> @@ -1548,16 +1548,9 @@ static int i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev,
> u8 old_dyn_addr)
> {
> struct i3c_master_controller *master = i3c_dev_get_master(dev);
> - enum i3c_addr_slot_status status;
> int ret;
>
> - if (dev->info.dyn_addr != old_dyn_addr &&
> - (!dev->boardinfo ||
> - dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
> - status = i3c_bus_get_addr_slot_status(&master->bus,
> - dev->info.dyn_addr);
> - if (status != I3C_ADDR_SLOT_FREE)
> - return -EBUSY;
> + if (dev->info.dyn_addr != old_dyn_addr) {
> i3c_bus_set_addr_slot_status(&master->bus,
> dev->info.dyn_addr,
> I3C_ADDR_SLOT_I3C_DEV);
> @@ -1960,9 +1953,10 @@ static int i3c_master_bus_init(struct i3c_master_controller *master)
> goto err_rstdaa;
> }
>
> + /* Not mark as occupied until real device exist in bus */
/* Do not mark
But with this changed,
Reviewed-by: Miquel Raynal <miquel.raynal@...tlin.com>
Thanks,
Miquèl
Powered by blists - more mailing lists