[PATCH v2 3/7] mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
William Zhang
william.zhang at broadcom.com
Tue Sep 17 02:22:02 CEST 2024
> -----Original Message-----
> From: Linus Walleij <linus.walleij at linaro.org>
> Sent: Monday, September 16, 2024 2:59 AM
> To: u-boot at lists.denx.de; Dario Binacchi
> <dario.binacchi at amarulasolutions.com>; Michael Trimarchi
> <michael at amarulasolutions.com>; Anand Gore
> <anand.gore at broadcom.com>; William Zhang
> <william.zhang at broadcom.com>; Kursad Oney
> <kursad.oney at broadcom.com>; Philippe Reynes
> <philippe.reynes at softathome.com>
> Cc: Linus Walleij <linus.walleij at linaro.org>; Florian Fainelli
> <florian.fainelli at broadcom.com>; Miquel Raynal
> <miquel.raynal at bootlin.com>
> Subject: [PATCH v2 3/7] mtd: rawnand: brcmnand: Fix potential out-of-
> bounds access in oob write
>
> From: William Zhang <william.zhang at broadcom.com>
>
> Backport of upstream Linux
> commit 5d53244186c9ac58cb88d76a0958ca55b83a15cd
> "mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write"
>
> When the oob buffer length is not in multiple of words, the oob write
> function does out-of-bounds read on the oob source buffer at the last
> iteration. Fix that by always checking length limit on the oob buffer
> read and fill with 0xff when reaching the end of the buffer to the oob
> registers.
>
> Signed-off-by: William Zhang <william.zhang at broadcom.com>
> Reviewed-by: Florian Fainelli <florian.fainelli at broadcom.com>
> Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
> Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-5-
> william.zhang at broadcom.com
> Signed-off-by: Linus Walleij <linus.walleij at linaro.org>
> ---
> drivers/mtd/nand/raw/brcmnand/brcmnand.c | 18 ++++++++++++++++--
> 1 file changed, 16 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
> b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
> index 46a4107a83a9..60d34bd21f53 100644
> --- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c
> +++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c
> @@ -1334,19 +1334,33 @@ static int write_oob_to_regs(struct
> brcmnand_controller *ctrl, int i,
> const u8 *oob, int sas, int sector_1k)
> {
> int tbytes = sas << sector_1k;
> - int j;
> + int j, k = 0;
> + u32 last = 0xffffffff;
> + u8 *plast = (u8 *)&last;
>
> /* Adjust OOB values for 1K sector size */
> if (sector_1k && (i & 0x01))
> tbytes = max(0, tbytes - (int)ctrl->max_oob);
> tbytes = min_t(int, tbytes, ctrl->max_oob);
>
> - for (j = 0; j < tbytes; j += 4)
> + /*
> + * tbytes may not be multiple of words. Make sure we don't read
> out of
> + * the boundary and stop at last word.
> + */
> + for (j = 0; (j + 3) < tbytes; j += 4)
> oob_reg_write(ctrl, j,
> (oob[j + 0] << 24) |
> (oob[j + 1] << 16) |
> (oob[j + 2] << 8) |
> (oob[j + 3] << 0));
> +
> + /* handle the remaing bytes */
> + while (j < tbytes)
> + plast[k++] = oob[j++];
> +
> + if (tbytes & 0x3)
> + oob_reg_write(ctrl, (tbytes & ~0x3), (__force
> u32)cpu_to_be32(last));
> +
> return tbytes;
> }
>
>
> --
> 2.46.0
Reviewed-by: William Zhang <william.zhang at broadcom.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4212 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20240916/13d86292/attachment.bin>
More information about the U-Boot
mailing list