[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b9134a1d-3dbc-4cd9-b22a-90b1c8934ce9@gmail.com>
Date: Mon, 26 May 2025 22:01:29 +0200
From: Gabor Juhos <j4g8y7@...il.com>
To: Md Sadre Alam <quic_mdalam@...cinc.com>, Mark Brown <broonie@...nel.org>,
Varadarajan Narayanan <quic_varada@...cinc.com>,
Sricharan Ramabadhran <quic_srichara@...cinc.com>,
Miquel Raynal <miquel.raynal@...tlin.com>,
Richard Weinberger <richard@....at>, Vignesh Raghavendra <vigneshr@...com>
Cc: linux-spi@...r.kernel.org, linux-mtd@...ts.infradead.org,
linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
Lakshmi Sowjanya D <quic_laksd@...cinc.com>
Subject: Re: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access
of BAM arrays
2025. 05. 26. 8:53 keltezéssel, Md Sadre Alam írta:
> Hi,
>
> On 5/25/2025 10:35 PM, Gabor Juhos wrote:
>> The common QPIC code does not do any boundary checking when it handles
>> the command elements and scatter gater list arrays of a BAM transaction,
>> thus it allows to access out of bounds elements in those.
>>
>> Although it is the responsibility of the given driver to allocate enough
>> space for all possible BAM transaction variations, however there can be
>> mistakes in the driver code which can lead to hidden memory corruption
>> issues which are hard to debug.
>>
>> This kind of problem has been observed during testing the 'spi-qpic-snand'
>> driver. Although the driver has been fixed with a preceding patch, but it
>> still makes sense to reduce the chance of having such errors again later.
>>
>> In order to prevent such errors, change the qcom_alloc_bam_transaction()
>> function to store the number of elements of the arrays in the
>> 'bam_transaction' strucutre during allocation. Also, add sanity checks to
>> the qcom_prep_bam_dma_desc_{cmd,data}() functions to avoid using out of
>> bounds indices for the arrays.
>>
>> Tested with the 'spi-qpic-snand' driver only.
> I recommend testing this patch on both the IPQ and SDX platforms,
> as the QPIC raw NAND driver are utilized across both.
>
> If you have access to IPQ and SDX devices with raw NAND, please proceed
> with testing on both.
Sorry, I have no SDX devices at all, and unfortunately I can't access my older
IPQ boards before next week.
>
> Otherwise, I can handle testing on the IPQ raw NAND device and coordinate with
> Lakshmi Sowjanya D (quic_laksd@...cinc.com)
> for testing on the SDX platform.
If you could do some testing in the meantime, that would be superb.
Thanks for that in advance!
Regards,
Gabor
Powered by blists - more mailing lists