| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8e969a9f-4dc5-4d1e-879b-8092d43c1c38@csgroup.eu>
Date: Thu, 20 Nov 2025 09:41:45 +0100
From: Christophe Leroy <christophe.leroy@...roup.eu>
To: "Sverdlin, Alexander" <alexander.sverdlin@...mens.com>,
"broonie@...nel.org" <broonie@...nel.org>,
"gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>
Cc: "linux-spi@...r.kernel.org" <linux-spi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"florent.trinh-thai@...soprasteria.com"
<florent.trinh-thai@...soprasteria.com>
Subject: Re: [PATCH] spi: fsl-cpm: Check length parity before switching to 16
bit mode
Le 10/11/2025 à 14:07, Sverdlin, Alexander a écrit :
> Hi Christophe,
>
> just a couple of nitpicks below:
>
> On Sun, 2025-11-09 at 19:55 +0100, Christophe Leroy wrote:
>> Commit fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers
>> with even size") failed to checkout that the size is really even before
> ^^^^^^^^
> check/verify/"make sure"?
make sure
>
>> switching to 16 bit mode. Until recently the problem went unnoticed
>> because kernfs uses a pre-allocated bounce buffer of size PAGE_SIZE for
>> reading eeprom.
> ^^^^^^
> EEPROM?
ack
>
>> But commit 8ad6249c51d0 ("eeprom: at25: convert to spi-mem API")
>> introduced an additional dynamically allocated bounce buffer whose size
>> is exactly the size of the transfer, leading to a buffer overrun in
>> the fsl-cpm driver when that size is odd.
>>
>> Add the missing length parity verification and remain in 8 bit mode
>> when the length is not even.
>>
>> Fixes: fc96ec826bce ("spi: fsl-cpm: Use 16 bit mode for large transfers with even size")
>
> Missing Cc: stable@?
Nowadays Fixes: tag seems to be enough to get a fix automagically
applied to stable branches, but I added it anyway.
>
>> Closes: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore.kernel.org%2Fall%2F638496dd-ec60-4e53-bad7-eb657f67d580%40csgroup.eu%2F&data=05%7C02%7Cchristophe.leroy%40csgroup.eu%7C5ac2e78d2c44433141df08de205a1e5a%7C8b87af7d86474dc78df45f69a2011bb5%7C0%7C0%7C638983768580305289%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=juGQhU%2F%2Fp52t9hPZ5PA0Ka8Ng3ITKNoF%2Bf1%2FP93IkOw%3D&reserved=0
>> Signed-off-by: Christophe Leroy <christophe.leroy@...roup.eu>
>> ---
>> drivers/spi/spi-fsl-spi.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/spi/spi-fsl-spi.c b/drivers/spi/spi-fsl-spi.c
>> index 2f2082652a1a2..e845baa56cc66 100644
>> --- a/drivers/spi/spi-fsl-spi.c
>> +++ b/drivers/spi/spi-fsl-spi.c
>> @@ -335,7 +335,7 @@ static int fsl_spi_prepare_message(struct spi_controller *ctlr,
>> if (t->bits_per_word == 16 || t->bits_per_word == 32)
>> t->bits_per_word = 8; /* pretend its 8 bits */
>> if (t->bits_per_word == 8 && t->len >= 256 &&
>> - (mpc8xxx_spi->flags & SPI_CPM1))
>> + ((t->len & 1) == 0) && (mpc8xxx_spi->flags & SPI_CPM1))
>
> could be written as "!(t->len & 1) && "...
Done.
>
>> t->bits_per_word = 16;
>> }
>> }
>
> You can add my RB tag into your v2.
>
Thanks
Christophe
Powered by blists - more mailing lists