lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20241021120403.5764abbf@xps-13>
Date: Mon, 21 Oct 2024 12:04:03 +0200
From: Miquel Raynal <miquel.raynal@...tlin.com>
To: Frank Li <Frank.Li@....com>
Cc: Alexandre Belloni <alexandre.belloni@...tlin.com>,
 linux-i3c@...ts.infradead.org, linux-kernel@...r.kernel.org, arnd@...db.de,
 bbrezillon@...nel.org, boris.brezillon@...labora.com,
 conor.culhane@...vaco.com, gregkh@...uxfoundation.org, imx@...ts.linux.dev,
 pthombar@...ence.com, ravindra.yashvant.shinde@....com, stable@...nel.org
Subject: Re: [PATCH v7 3/3] i3c: master: Fix dynamic address leak when
 'assigned-address' is present

Hi Frank,

Frank.Li@....com wrote on Tue, 08 Oct 2024 11:18:26 -0400:

> If the DTS contains 'assigned-address', a dynamic address leak occurs
> during hotjoin events.
> 
> Assume a device have assigned-address 0xb.
>   - Device issue Hotjoin
>   - Call i3c_master_do_daa()
>   - Call driver xxx_do_daa()
>   - Call i3c_master_get_free_addr() to get dynamic address 0x9
>   - i3c_master_add_i3c_dev_locked(0x9)
>   -     expected_dyn_addr  = newdev->boardinfo->init_dyn_addr (0xb);
>   -     i3c_master_reattach_i3c_dev(newdev(0xb), old_dyn_addr(0x9));
>   -         if (dev->info.dyn_addr != old_dyn_addr &&
>                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 0xb != 0x9 -> TRUE
>                 (!dev->boardinfo ||
>                  ^^^^^^^^^^^^^^^ ->  FALSE
>                  dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
>                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>                  0xb != 0xb      ->  FALSE
>                  ...
>                  i3c_bus_set_addr_slot_status(&master->bus, old_dyn_addr,
>                                                      I3C_ADDR_SLOT_FREE);
> 		 ^^^
>                  This will be skipped. So old_dyn_addr never free
>             }
> 
>   - i3c_master_get_free_addr() will return increased sequence number.
> 
> Remove dev->info.dyn_addr != dev->boardinfo->init_dyn_addr condition check.
> dev->info.dyn_addr should be checked before calling this function because
> i3c_master_setnewda_locked() has already been called and the target device
> has already accepted dyn_addr. It is too late to check if dyn_addr is free
> in i3c_master_reattach_i3c_dev().
> 
> Add check to ensure expected_dyn_addr is free before
> i3c_master_setnewda_locked().
> 
> Fixes: cc3a392d69b6 ("i3c: master: fix for SETDASA and DAA process")
> Cc: stable@...nel.org
> Signed-off-by: Frank Li <Frank.Li@....com>
> ---
> Chagne v6 to v7
> - none
> 
> Chagne v5 to v6
> - fixed version number to v5
> - fix merge conflict because change function name and macro name.
> 
> Change v3 to v4
> - none
> ---
>  drivers/i3c/master.c | 15 +++++----------
>  1 file changed, 5 insertions(+), 10 deletions(-)
> 
> diff --git a/drivers/i3c/master.c b/drivers/i3c/master.c
> index e0962a17de7f0..9ccfabf849c42 100644
> --- a/drivers/i3c/master.c
> +++ b/drivers/i3c/master.c
> @@ -1548,16 +1548,9 @@ static int i3c_master_reattach_i3c_dev(struct i3c_dev_desc *dev,
>  				       u8 old_dyn_addr)
>  {
>  	struct i3c_master_controller *master = i3c_dev_get_master(dev);
> -	enum i3c_addr_slot_status status;
>  	int ret;
>  
> -	if (dev->info.dyn_addr != old_dyn_addr &&
> -	    (!dev->boardinfo ||
> -	     dev->info.dyn_addr != dev->boardinfo->init_dyn_addr)) {
> -		status = i3c_bus_get_addr_slot_status(&master->bus,
> -						      dev->info.dyn_addr);
> -		if (status != I3C_ADDR_SLOT_FREE)
> -			return -EBUSY;
> +	if (dev->info.dyn_addr != old_dyn_addr) {
>  		i3c_bus_set_addr_slot_status(&master->bus,
>  					     dev->info.dyn_addr,
>  					     I3C_ADDR_SLOT_I3C_DEV);
> @@ -1960,9 +1953,10 @@ static int i3c_master_bus_init(struct i3c_master_controller *master)
>  			goto err_rstdaa;
>  		}
>  
> +		/* Not mark as occupied until real device exist in bus */

		/* Do not mark

But with this changed,

Reviewed-by: Miquel Raynal <miquel.raynal@...tlin.com>

Thanks,
Miquèl

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ