lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b9134a1d-3dbc-4cd9-b22a-90b1c8934ce9@gmail.com>
Date: Mon, 26 May 2025 22:01:29 +0200
From: Gabor Juhos <j4g8y7@...il.com>
To: Md Sadre Alam <quic_mdalam@...cinc.com>, Mark Brown <broonie@...nel.org>,
 Varadarajan Narayanan <quic_varada@...cinc.com>,
 Sricharan Ramabadhran <quic_srichara@...cinc.com>,
 Miquel Raynal <miquel.raynal@...tlin.com>,
 Richard Weinberger <richard@....at>, Vignesh Raghavendra <vigneshr@...com>
Cc: linux-spi@...r.kernel.org, linux-mtd@...ts.infradead.org,
 linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org,
 Lakshmi Sowjanya D <quic_laksd@...cinc.com>
Subject: Re: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access
 of BAM arrays

2025. 05. 26. 8:53 keltezéssel, Md Sadre Alam írta:
> Hi,
> 
> On 5/25/2025 10:35 PM, Gabor Juhos wrote:
>> The common QPIC code does not do any boundary checking when it handles
>> the command elements and scatter gater list arrays of a BAM transaction,
>> thus it allows to access out of bounds elements in those.
>>
>> Although it is the responsibility of the given driver to allocate enough
>> space for all possible BAM transaction variations, however there can be
>> mistakes in the driver code which can lead to hidden memory corruption
>> issues which are hard to debug.
>>
>> This kind of problem has been observed during testing the 'spi-qpic-snand'
>> driver. Although the driver has been fixed with a preceding patch, but it
>> still makes sense to reduce the chance of having such errors again later.
>>
>> In order to prevent such errors, change the qcom_alloc_bam_transaction()
>> function to store the number of elements of the arrays in the
>> 'bam_transaction' strucutre during allocation. Also, add sanity checks to
>> the qcom_prep_bam_dma_desc_{cmd,data}() functions to avoid using out of
>> bounds indices for the arrays.
>>
>> Tested with the 'spi-qpic-snand' driver only.
> I recommend testing this patch on both the IPQ and SDX platforms,
> as the QPIC raw NAND driver are utilized across both.
> 
> If you have access to IPQ and SDX devices with raw NAND, please proceed
> with testing on both.

Sorry, I have no SDX devices at all, and unfortunately I can't access my older
IPQ boards before next week.

> 
> Otherwise, I can handle testing on the IPQ raw NAND device and coordinate with
> Lakshmi Sowjanya D (quic_laksd@...cinc.com)
> for testing on the SDX platform.

If you could do some testing in the meantime, that would be superb.
Thanks for that in advance!

Regards,
Gabor

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ