lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aO5dtNJrF3vduSyJ@apocalypse>
Date: Tue, 14 Oct 2025 16:27:00 +0200
From: Andrea della Porta <andrea.porta@...e.com>
To: Rob Herring <robh@...nel.org>
Cc: Andrea della Porta <andrea.porta@...e.com>,
	Saravana Kannan <saravanak@...gle.com>, devicetree@...r.kernel.org,
	linux-kernel@...r.kernel.org, iivanov@...e.de, svarbanov@...e.de,
	mbrugger@...e.com, Phil Elwell <phil@...pberrypi.com>
Subject: Re: [PATCH] of: reserved_mem: Add heuristic to validate reserved
 memory regions

Hi Rob,

On 08:12 Tue 14 Oct     , Rob Herring wrote:
> On Tue, Oct 14, 2025 at 2:32 AM Andrea della Porta
> <andrea.porta@...e.com> wrote:
> >
> > When parsing static reserved-memory DT nodes, any node with a reg property
> > length that is not perfectly conformant is discarded.
> > Specifically, any reg property whose length is not a multiple of the parent's
> > (#address-cells + #size-cells) is dropped.
> >
> > Relax this condition (while still treating perfect multiples as having higher
> > precedence) by allowing regions that are subsets of the parent's addressable
> > space to be considered for inclusion.
> > For example, in the following scenario:
> >
> > / {
> >         #address-cells = <0x02>;
> >         #size-cells = <0x02>;
> >         ...
> >
> >         reserved-memory {
> >                 #address-cells = <0x02>;
> >                 #size-cells = <0x02>;
> >                 ...
> >
> >                 nvram {
> >                         reg = <0x00 0x3fd16d00 0x37>;
> >                         ...
> >                 };
> >         };
> > };
> >
> > Even though the reg property of the nvram node is not well-formed from a DT
> > syntax perspective, it still references a perfectly valid memory region of
> > 0x37 bytes that should be reserved.
> 
> No it isn't. I could just as easily argue that the reserved size
> should be 0x37_00000000 because it's BE data. I have little interest
> in supporting incorrect DTs especially generically where we have no
> clue what platform needs it and whether we still have to carry the
> code. There's enough of that crap with ancient PPC and Sparc systems.

I understand the pain, but IIUC the example you mentioned (0x37 0x00) deals
with an incorrect size value (due to endianness) over a correct size length
(#size-cells = 2), while the case this patch tries to address is the opposite,
i.e. correct size values (corrected by the fw) over an incorrect size length. 
For the former issue, the actual kernel code does not have an answer yet. For
the latter I propose this patch.
The point is that the potential erroneous regions we could introduce with this
patch are just a subset of the regions that can be erroneously introduced in
the actual kernel, so no additional harm could be done.

> 
> Furthermore, this looks like an abuse of /reserved-memory which should
> *only* be holes in what /memory node(s) define. I don't think we
> enforce that and I imagine there is lots of abuse.

AFAIK the only enforcement in the kernel is being an integer multiple of the
root address + size cells. As you already pointed out, this means easy abuse
but this is still a fact with the current kernel, not something that would
be exploitable more easily with this patch.

> 
> > This has at least one real-world equivalent on the Raspberry Pi 5, for example,
> > on which the firmware incorrectly overwrites the nvram node's reg property
> > without taking into account the actual value of the parent's #size-cells.
> 
> If we have to support this broken firmware, the kernel should fixup
> the entry to be correct.

This is what I first thought of, but it has several issues that complicates
its implementation:

- I guess there's no current infrastructure to execute fw specific code in
  the reserved-memory node (something that resembles PCI quirks?)

- Finding out whether a fix is required depends on identifying the fw, which is
  possible only reading its fingerprint through the reserved-memory region
  itself. This is kinda of a recursive problem...

- The reserved memory parsing function is invoked very early in the boot process,
  so we cannot rely on a driver module to amend that

I will try to cook up something on this line, but I guess it will not be easy.

Many thanks,
Andrea

> 
> Rob

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ