lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20250324054805.3x3nwl4vtvf63rwj@vireshk-i7>
Date: Mon, 24 Mar 2025 11:18:05 +0530
From: Viresh Kumar <viresh.kumar@...aro.org>
To: Jernej Škrabec <jernej.skrabec@...il.com>
Cc: Yangtao Li <tiny.windzz@...il.com>,
	"Rafael J . Wysocki" <rafael@...nel.org>,
	Chen-Yu Tsai <wens@...e.org>, Samuel Holland <samuel@...lland.org>,
	Andre Przywara <andre.przywara@....com>,
	Brandon Cheo Fusi <fusibrandon13@...il.com>,
	linux-pm@...r.kernel.org, linux-arm-kernel@...ts.infradead.org,
	linux-sunxi@...ts.linux.dev, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] cpufreq: sun50i: prevent out-of-bounds access

On 22-03-25, 08:38, Jernej Škrabec wrote:
> Dne četrtek, 20. marec 2025 ob 16:55:57 Srednjeevropski standardni čas je Andre Przywara napisal(a):
> > A KASAN enabled kernel reports an out-of-bounds access when handling the
> > nvmem cell in the sun50i cpufreq driver:
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in sun50i_cpufreq_nvmem_probe+0x180/0x3d4
> > Read of size 4 at addr ffff000006bf31e0 by task kworker/u16:1/38
> > 
> > This is because the DT specifies the nvmem cell as covering only two
> > bytes, but we use a u32 pointer to read the value. DTs for other SoCs
> > indeed specify 4 bytes, so we cannot just shorten the variable to a u16.
> > 
> > Fortunately nvmem_cell_read() allows to return the length of the nvmem
> > cell, in bytes, so we can use that information to only access the valid
> > portion of the data.
> > To cover multiple cell sizes, use memcpy() to copy the information into a
> > zeroed u32 buffer, then also make sure we always read the data in little
> > endian fashion, as this is how the data is stored in the SID efuses.
> > 
> > Fixes: 6cc4bcceff9a ("cpufreq: sun50i: Refactor speed bin decoding")
> > Reported-by: Jernej Skrabec <jernej.skrabec@...il.com>
> > Signed-off-by: Andre Przywara <andre.przywara@....com>
> 
> Thanks for fixing that!
> 
> Reviewed-by: Jernej Škrabec <jernej.skrabec@...il.com>

Applied. Thanks.

-- 
viresh

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ