lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b238b17a-c22b-4bd8-87bd-2d924328a062@omp.ru>
Date: Sat, 18 Oct 2025 23:44:37 +0300
From: Sergey Shtylyov <s.shtylyov@....ru>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, Jiri Slaby
	<jirislaby@...nel.org>, Matthias Brugger <matthias.bgg@...il.com>,
	AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>,
	<linux-serial@...r.kernel.org>, <linux-kernel@...r.kernel.org>
CC: <linux-arm-kernel@...ts.infradead.org>,
	<linux-mediatek@...ts.infradead.org>, <lvc-project@...uxtesting.org>, Fedor
 Pchelkin <pchelkin@...ras.ru>
Subject: [PATCH v3] serial: 8250_mtk: correct max baud rate in set_termios()
 method

Commit 81bb549fdf14 ("serial: 8250_mtk: support big baud rate.") claimed
the maximum supported baud rate to be 4 Mbps; of the Mediatek datasheets
(I was able to get my hands on), only MT7987A datasheet did support this
claim and MT7981B/88A datasheets disagreed, claiming just 3 Mbps maximum.
However, this commit failed to enforce even the claimed maximum, passing
port->uartclk to uart_get_baud_rate() for the maximum baud rate -- while
the datasheets mention up to 52 MHz for the baud clock's frequency. This
means that an integer overflow would happen (when multiplying the baud
variable by 256) if a baud rate higher than 16777215 bps is passed via
termios->c_ospeed (division by 0 will also happen when exactly 16777216
bps is passed). Pass to uart_get_baud_rate() the documented maximum of
4 Mbps or port->uartclk (whichever happens to be lesser) -- this way,
we can avoid both overflows and regression with the maximum baud rate...

Found by Linux Verification Center (linuxtesting.org) with the Svace static
analysis tool.

Fixes: 81bb549fdf14 ("serial: 8250_mtk: support big baud rate.")
Signed-off-by: Sergey Shtylyov <s.shtylyov@....ru>

---
This patch is against the tty-linus branch of Greg KH's 'tty.git' repo.

Changes in version #3:
- updated the maximum baud rate to 4 Mbps;
- rewrote the description again, adding more info on the MT798x datasheets
  studied, on how the bug manifests iself, and on the solution.

Changes in version #2:
- changed the approach to the problem (and hence rewrote the description);
- removed "the" article from the subject for brevity.

 drivers/tty/serial/8250/8250_mtk.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Index: tty/drivers/tty/serial/8250/8250_mtk.c
===================================================================
--- tty.orig/drivers/tty/serial/8250/8250_mtk.c
+++ tty/drivers/tty/serial/8250/8250_mtk.c
@@ -358,7 +358,7 @@ mtk8250_set_termios(struct uart_port *po
 	 */
 	baud = uart_get_baud_rate(port, termios, old,
 				  port->uartclk / 16 / UART_DIV_MAX,
-				  port->uartclk);
+				  min(4000000U, port->uartclk));
 
 	if (baud < 115200) {
 		serial_port_out(port, MTK_UART_HIGHS, 0x0);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ