lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5b6901d9-f404-43b9-87eb-577124efa3f3@linaro.org>
Date: Tue, 29 Oct 2024 17:55:07 +0000
From: Srinivas Kandagatla <srinivas.kandagatla@...aro.org>
To: Jennifer Berringer <jberring@...hat.com>,
 Sebastian Reichel <sre@...nel.org>,
 Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
 Maxime Ripard <mripard@...nel.org>
Cc: linux-kernel@...r.kernel.org, linux-pm@...r.kernel.org
Subject: Re: [PATCH v2 1/3] nvmem: core: improve range check for
 nvmem_cell_write()



On 24/10/2024 16:40, Jennifer Berringer wrote:
> When __nvmem_cell_entry_write() is called for an nvmem cell that does
> not need bit shifting, it requires that the len parameter exactly
> matches the nvmem cell size. However, when the nvmem cell has a nonzero
> bit_offset, it was skipping this check.
> 
thanks for spotting this, we should filter this out correctly.

> Accepting values of len larger than the cell size results in
> nvmem_cell_prepare_write_buffer() trying to write past the end of a heap
> buffer that it allocates. This patch adds a check to avoid that problem
> and instead return -EINVAL when len is too large.
> 
> Rather than unconditionally checking that len exactly matches the nvmem
> cell size, allowing len to be smaller when bit shifts are involved may
> be helpful because some devices have nvmem cells that are less than 8
> bits but span two bytes, although no current devices or drivers that do
> this seem to rely on nvmem_cell_write(). This possibility can be handled
> by nvmem_cell_prepare_write_buffer() because it allocates an
> appropriately-sized heap buffer and avoids reading past the end of buf.
> 
> Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers")
> 
> Signed-off-by: Jennifer Berringer <jberring@...hat.com>
> ---
>   drivers/nvmem/core.c | 7 +++++--
>   1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c
> index 33ffa2aa4c11..74bf4d35a7a7 100644
> --- a/drivers/nvmem/core.c
> +++ b/drivers/nvmem/core.c
> @@ -1767,8 +1767,7 @@ static int __nvmem_cell_entry_write(struct nvmem_cell_entry *cell, void *buf, si
>   	struct nvmem_device *nvmem = cell->nvmem;
>   	int rc;
>   
> -	if (!nvmem || nvmem->read_only ||
> -	    (cell->bit_offset == 0 && len != cell->bytes))
> +	if (!nvmem || nvmem->read_only)


if (!nvmem || nvmem->read_only || len != cell->bytes)
	return -EINVAL;

Does this work?

--srini
>   		return -EINVAL;
>   
>   	/*
> @@ -1780,9 +1779,13 @@ static int __nvmem_cell_entry_write(struct nvmem_cell_entry *cell, void *buf, si
>   		return -EINVAL;
>   
>   	if (cell->bit_offset || cell->nbits) {
> +		if (len > cell->bytes)
> +			return -EINVAL;
>   		buf = nvmem_cell_prepare_write_buffer(cell, buf, len);
>   		if (IS_ERR(buf))
>   			return PTR_ERR(buf);
> +	} else if (len != cell->bytes) {
> +		return -EINVAL;
>   	}
>   
>   	rc = nvmem_reg_write(nvmem, cell->offset, buf, cell->bytes);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ