lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 26 May 2020 16:46:00 +0100
From:   Russell King - ARM Linux admin <linux@...linux.org.uk>
To:     Jeremy Linton <jeremy.linton@....com>
Cc:     Andrew Lunn <andrew@...n.ch>,
        Heiner Kallweit <hkallweit1@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>, netdev@...r.kernel.org
Subject: Re: [PATCH RFC 7/7] net: phy: read MMD ID from all present MMDs

On Tue, May 26, 2020 at 10:35:46AM -0500, Jeremy Linton wrote:
> Hi,
> 
> On 5/26/20 9:31 AM, Russell King wrote:
> > Expand the device_ids[] array to allow all MMD IDs to be read rather
> > than just the first 8 MMDs, but only read the ID if the MDIO_STAT2
> > register reports that a device really is present here for these new
> > devices to maintain compatibility with our current behaviour.
> > 
> > 88X3310 PHY vendor MMDs do are marked as present in the
> > devices_in_package, but do not contain IEE 802.3 compatible register
> > sets in their lower space.  This avoids reading incorrect values as MMD
> > identifiers.
> > 
> > Signed-off-by: Russell King <rmk+kernel@...linux.org.uk>
> > ---
> >   drivers/net/phy/phy_device.c | 14 ++++++++++++++
> >   include/linux/phy.h          |  2 +-
> >   2 files changed, 15 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
> > index 1c948bbf4fa0..92742c7be80f 100644
> > --- a/drivers/net/phy/phy_device.c
> > +++ b/drivers/net/phy/phy_device.c
> > @@ -773,6 +773,20 @@ static int get_phy_c45_ids(struct mii_bus *bus, int addr, u32 *phy_id,
> >   		if (!(devs_in_pkg & (1 << i)))
> >   			continue;
> > +		if (i >= 8) {
> > +			/* Only probe the MMD ID for MMDs >= 8 if they report
> > +			 * that they are present. We have at least one PHY that
> > +			 * reports MMD presence in devs_in_pkg, but does not
> > +			 * contain valid IEEE 802.3 ID registers in some MMDs.
> > +			 */
> > +			ret = phy_c45_probe_present(bus, addr, i);
> > +			if (ret < 0)
> > +				return ret;
> > +
> > +			if (!ret)
> > +				continue;
> > +		}
> > +
> >   		phy_reg = mdiobus_c45_read(bus, addr, i, MII_PHYSID1);
> >   		if (phy_reg < 0)
> >   			return -EIO;
> > diff --git a/include/linux/phy.h b/include/linux/phy.h
> > index 0d41c710339a..3325dd8fb9ac 100644
> > --- a/include/linux/phy.h
> > +++ b/include/linux/phy.h
> > @@ -361,7 +361,7 @@ enum phy_state {
> >   struct phy_c45_device_ids {
> >   	u32 devices_in_package;
> >   	u32 mmds_present;
> > -	u32 device_ids[8];
> > +	u32 device_ids[MDIO_MMD_NUM];
> 
> You have a array overflow/invalid access if you don't do this earlier in
> 4/7.

I'm very sorry, but you are mistaken - there is no overflow.

The overflow would happen if I'd changed the _second_ loop in
get_phy_c45_ids(), but that still relies upon the size of this
array.  In fact, everywhere that the device_ids array is indexed
with a for() loop, the maximum bound is defined by the element
size of the array.

-- 
RMK's Patch system: https://www.armlinux.org.uk/developer/patches/
FTTC for 0.8m (est. 1762m) line in suburbia: sync at 13.1Mbps down 424kbps up

Powered by blists - more mailing lists