lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <8ab1e48a-f698-9859-3992-6a26f63d62f1@quicinc.com>
Date: Mon, 26 May 2025 12:23:33 +0530
From: Md Sadre Alam <quic_mdalam@...cinc.com>
To: Gabor Juhos <j4g8y7@...il.com>, Mark Brown <broonie@...nel.org>,
        Varadarajan Narayanan <quic_varada@...cinc.com>,
        Sricharan Ramabadhran
	<quic_srichara@...cinc.com>,
        Miquel Raynal <miquel.raynal@...tlin.com>,
        Richard Weinberger <richard@....at>,
        Vignesh Raghavendra <vigneshr@...com>
CC: <linux-spi@...r.kernel.org>, <linux-mtd@...ts.infradead.org>,
        <linux-arm-msm@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        "Lakshmi
 Sowjanya D" <quic_laksd@...cinc.com>
Subject: Re: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access
 of BAM arrays

Hi,

On 5/25/2025 10:35 PM, Gabor Juhos wrote:
> The common QPIC code does not do any boundary checking when it handles
> the command elements and scatter gater list arrays of a BAM transaction,
> thus it allows to access out of bounds elements in those.
> 
> Although it is the responsibility of the given driver to allocate enough
> space for all possible BAM transaction variations, however there can be
> mistakes in the driver code which can lead to hidden memory corruption
> issues which are hard to debug.
> 
> This kind of problem has been observed during testing the 'spi-qpic-snand'
> driver. Although the driver has been fixed with a preceding patch, but it
> still makes sense to reduce the chance of having such errors again later.
> 
> In order to prevent such errors, change the qcom_alloc_bam_transaction()
> function to store the number of elements of the arrays in the
> 'bam_transaction' strucutre during allocation. Also, add sanity checks to
> the qcom_prep_bam_dma_desc_{cmd,data}() functions to avoid using out of
> bounds indices for the arrays.
> 
> Tested with the 'spi-qpic-snand' driver only.
I recommend testing this patch on both the IPQ and SDX platforms,
as the QPIC raw NAND driver are utilized across both.

If you have access to IPQ and SDX devices with raw NAND, please proceed
with testing on both.

Otherwise, I can handle testing on the IPQ raw NAND device and 
coordinate with Lakshmi Sowjanya D (quic_laksd@...cinc.com)
for testing on the SDX platform.

Thanks,
Alam.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ