| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f467dcc6e92149b8b46ca8a879d36d6c@quicinc.com>
Date: Wed, 28 May 2025 06:11:17 +0000
From: "Lakshmi Sowjanya D (QUIC)" <quic_laksd@...cinc.com>
To: Gabor Juhos <j4g8y7@...il.com>,
"Md Sadre Alam (QUIC)"
<quic_mdalam@...cinc.com>,
Mark Brown <broonie@...nel.org>,
"Varadarajan
Narayanan (QUIC)" <quic_varada@...cinc.com>,
"Sricharan Ramabadhran (QUIC)"
<quic_srichara@...cinc.com>,
Miquel Raynal <miquel.raynal@...tlin.com>,
Richard Weinberger <richard@....at>,
Vignesh Raghavendra <vigneshr@...com>
CC: "linux-spi@...r.kernel.org" <linux-spi@...r.kernel.org>,
"linux-mtd@...ts.infradead.org" <linux-mtd@...ts.infradead.org>,
"linux-arm-msm@...r.kernel.org" <linux-arm-msm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access
of BAM arrays
> -----Original Message-----
> From: Gabor Juhos <j4g8y7@...il.com>
> Sent: Tuesday, May 27, 2025 1:31 AM
> To: Md Sadre Alam (QUIC) <quic_mdalam@...cinc.com>; Mark Brown
> <broonie@...nel.org>; Varadarajan Narayanan (QUIC)
> <quic_varada@...cinc.com>; Sricharan Ramabadhran (QUIC)
> <quic_srichara@...cinc.com>; Miquel Raynal <miquel.raynal@...tlin.com>;
> Richard Weinberger <richard@....at>; Vignesh Raghavendra
> <vigneshr@...com>
> Cc: linux-spi@...r.kernel.org; linux-mtd@...ts.infradead.org; linux-arm-
> msm@...r.kernel.org; linux-kernel@...r.kernel.org; Lakshmi Sowjanya D
> (QUIC) <quic_laksd@...cinc.com>
> Subject: Re: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds
> access of BAM arrays
>
> 2025. 05. 26. 8:53 keltezéssel, Md Sadre Alam írta:
> > Hi,
> >
> > On 5/25/2025 10:35 PM, Gabor Juhos wrote:
> >> The common QPIC code does not do any boundary checking when it
> >> handles the command elements and scatter gater list arrays of a BAM
> >> transaction, thus it allows to access out of bounds elements in those.
> >>
> >> Although it is the responsibility of the given driver to allocate
> >> enough space for all possible BAM transaction variations, however
> >> there can be mistakes in the driver code which can lead to hidden
> >> memory corruption issues which are hard to debug.
> >>
> >> This kind of problem has been observed during testing the 'spi-qpic-snand'
> >> driver. Although the driver has been fixed with a preceding patch,
> >> but it still makes sense to reduce the chance of having such errors again
> later.
> >>
> >> In order to prevent such errors, change the
> >> qcom_alloc_bam_transaction() function to store the number of elements
> >> of the arrays in the 'bam_transaction' strucutre during allocation.
> >> Also, add sanity checks to the qcom_prep_bam_dma_desc_{cmd,data}()
> >> functions to avoid using out of bounds indices for the arrays.
> >>
> >> Tested with the 'spi-qpic-snand' driver only.
> > I recommend testing this patch on both the IPQ and SDX platforms, as
> > the QPIC raw NAND driver are utilized across both.
> >
> > If you have access to IPQ and SDX devices with raw NAND, please
> > proceed with testing on both.
>
> Sorry, I have no SDX devices at all, and unfortunately I can't access my older
> IPQ boards before next week.
>
> >
> > Otherwise, I can handle testing on the IPQ raw NAND device and
> > coordinate with Lakshmi Sowjanya D (quic_laksd@...cinc.com) for
> > testing on the SDX platform.
>
> If you could do some testing in the meantime, that would be superb.
> Thanks for that in advance!
>
> Regards,
> Gabor
Tested-by: Lakshmi Sowjanya D <quic_laksd@...cinc.com> # on SDX75
--
Regards
Lakshmi Sowjanya
Powered by blists - more mailing lists