lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ibh3n7gl5qcawpiyjgxy2yum6jsmfv5lpfefuun3m2ktldcswl@odhjnmkj5jre>
Date: Fri, 15 Nov 2024 17:59:06 +0200
From: Dmitry Baryshkov <dmitry.baryshkov@...aro.org>
To: Krishna Kurapati <quic_kriskura@...cinc.com>
Cc: Vinod Koul <vkoul@...nel.org>, 
	Kishon Vijay Abraham I <kishon@...nel.org>, Bjorn Andersson <quic_bjorande@...cinc.com>, 
	Konrad Dybcio <konradybcio@...nel.org>, Andy Gross <agross@...nel.org>, 
	Stephen Boyd <swboyd@...omium.org>, linux-kernel@...r.kernel.org, linux-arm-msm@...r.kernel.org, 
	linux-phy@...ts.infradead.org, quic_ppratap@...cinc.com, quic_jackp@...cinc.com, 
	stable@...r.kernel.org
Subject: Re: [PATCH 5.15.y] phy: qcom: qmp: Fix NULL pointer dereference for
 USB Uni PHYs

On Fri, Nov 15, 2024 at 02:45:45PM +0530, Krishna Kurapati wrote:
> Commit [1] introduced DP support to QMP driver. While doing so, the
> dp and usb configuration structures were added to a combo_phy_cfg
> structure. During probe, the match data is used to parse and identify the
> dp and usb configs separately. While doing so, the usb_cfg variable
> represents the configuration parameters for USB part of the phy (whether
> it is DP-Cobo or Uni). during probe, one corner case of parsing usb_cfg
> for Uni PHYs is left incomplete and it is left as NULL. This NULL variable
> further percolates down to qmp_phy_create() call essentially getting
> de-referenced and causing a crash.

The UNI PHY platforms don't have usb3-phy subnode. As such the usb_cfg
variable should not be used in the for_each_available_child_of_node()
loop.

Please provide details for the platform on which you observe the crash
and the backtrace.

> 
> Subsequently, commit [2] split the driver into multiple files, each
> handling a specific PHY type (USB, DP-Combo, UFS, PCIe). During this
> refactoring, the probing process was modified, and the NULL pointer
> dereference issue no longer showed up.
> 
> [1]: https://lore.kernel.org/all/20200916231202.3637932-8-swboyd@chromium.org/
> [2]: https://lore.kernel.org/all/20220607213203.2819885-1-dmitry.baryshkov@linaro.org/
> 
> Fixes: 52e013d0bffa ("phy: qcom-qmp: Add support for DP in USB3+DP combo phy")
> Cc: stable@...r.kernel.org # 5.15.y
> Signed-off-by: Krishna Kurapati <quic_kriskura@...cinc.com>
> ---
>  drivers/phy/qualcomm/phy-qcom-qmp.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/phy/qualcomm/phy-qcom-qmp.c b/drivers/phy/qualcomm/phy-qcom-qmp.c
> index eef863108bfe..e22ee71aa060 100644
> --- a/drivers/phy/qualcomm/phy-qcom-qmp.c
> +++ b/drivers/phy/qualcomm/phy-qcom-qmp.c
> @@ -5714,6 +5714,8 @@ static int qcom_qmp_phy_probe(struct platform_device *pdev)
>  
>  		usb_cfg = combo_cfg->usb_cfg;
>  		cfg = usb_cfg; /* Setup clks and regulators */
> +	} else {
> +		usb_cfg = cfg;
>  	}
>  
>  	/* per PHY serdes; usually located at base address */
> -- 
> 2.34.1
> 

-- 
With best wishes
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ