From patchwork Mon Sep 16 09:58:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 829006 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:4187:b0:367:895a:4699 with SMTP id ei7csp699587wrb; Mon, 16 Sep 2024 02:59:24 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUyXCEev0GchSKRRs9VxYCasuCYhC4ksjd+xyUXK6E4biCRXNCTpbNCfqo7Wl5uKVJ/qISHzA==@linaro.org X-Google-Smtp-Source: AGHT+IHQKKWHgpA/ypSNuc6XK2z1YpocuHrjK5GVS956Ev4Bg3tik4WOoHsv1PSaKKKq7+OmSiKe X-Received: by 2002:a05:600c:4746:b0:426:6158:962d with SMTP id 5b1f17b1804b1-42d964d8612mr77833425e9.23.1726480764367; Mon, 16 Sep 2024 02:59:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726480764; cv=none; d=google.com; s=arc-20240605; b=EDFe38NVlKVGEttdTB/oE+3C/g6xp7Zd6kQpgZtC9AVga08ErIWwUjvTvvVZvNZcRS 5fJ1mXlalj1fcjYjL21IVmgOxfTIALuj0D41KvosDsgQ8wJlLy3e5hr2ZhEKhDoaPccX XtijbRmBcwh7V4EyYujFUnaV1CGFNSpxixV8ZFb+fRdyESh+KKFdvmDedjv5ACEVdmEq bPx+DS2eXGAV8/4ZpaLXcV/huphlDT8ssmFiB9mBq2fGwro19/Ax3cSLHLCnq0TTWzlf +Rv2TKdjVm/ve/g/22qzZ1N6ce2vsTo5R5hJUvU97CNm2aIrNZaF+XkmGOhKThX6RPkY CXAw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:cc:to:in-reply-to:references :message-id:content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=EvEkZF2r2AqggnLWTgwzPhL/JoYelLUDEL1aq/7CH+o=; fh=bbSjVJcsz6ma3Arirz+KWNos93PEC62yDVUDN8y6koA=; b=XckjZlrDjp0CglA5XHXkcLPelI37XQea4mPCEWd2NJp9mIHn3g5ACccOcBWAC5cUUV CFDfRnHPt7B3SZNA1KAX5BB7L8vYJ8tp0H1SItktejrwKy0jphiyo9SGzLJp3Get3Xhn IQ3KGaYLRpjYgH5dA4f5yyvIIKmeS6s5gVZ2IIPPSEtfUquCUA9Y1Hgev/yIRspuHFcv wzJq3NvMFTwxLjRTZrOZUIidqW8zRTD0iBekmsHbi5X9Su9O3v8YsWx9ta4KEkIokRie MtJ/RWKTqshF+nD2XNqQQuP/Q6+WwUcD7X4Xxo6h8XkxNl2yC106HIAb+1LNUCDfDCxA Ud7Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GNE6+d0O; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id ffacd0b85a97d-378e7802933si2067758f8f.464.2024.09.16.02.59.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Sep 2024 02:59:24 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=GNE6+d0O; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E91DE88F01; Mon, 16 Sep 2024 11:58:56 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GNE6+d0O"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3BD1A88EF8; Mon, 16 Sep 2024 11:58:55 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62f.google.com (mail-ej1-x62f.google.com [IPv6:2a00:1450:4864:20::62f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D9D4988EDB for ; Mon, 16 Sep 2024 11:58:51 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=linus.walleij@linaro.org Received: by mail-ej1-x62f.google.com with SMTP id a640c23a62f3a-a8d446adf6eso451331266b.2 for ; Mon, 16 Sep 2024 02:58:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1726480731; x=1727085531; darn=lists.denx.de; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=EvEkZF2r2AqggnLWTgwzPhL/JoYelLUDEL1aq/7CH+o=; b=GNE6+d0OvUvq1QIEWPCNzG7UXgfCVWP4ycbLz2k7uY3D0v3BLCNDm1RxCIOHBrQ6zj rk2eFd5Gj1me41X2rXfokeiWJETX49+DZpsvkh9bCuTFkcpP+b5XMcR8/frPOggFFPbi 5XNcrYsWFagHBeT7Xo9XDgtSU6ODlDGeXYa3CazBB9NBor/11SywqIdv8kiWM0jwlXtd R5NzZHstc79HFXXUjAfURsAtBJ74R6oYNBD0ObPVBezMgp0IXXuBbn/CXIkPBgpjCty3 RRSR5K1B5kiQvLcgPi3c4M7Spy6Df5FF3evkAbHFD84wPFN9U8gDulhiJ6qwFTV8cesq y2Ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726480731; x=1727085531; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EvEkZF2r2AqggnLWTgwzPhL/JoYelLUDEL1aq/7CH+o=; b=Xe3Q087agOWyIm2TU2g5ChxwUTlaP6imN7Xsr0y3zeoXTa3nC8of6/dxuHn9caGNC7 Ipa7COHHHyBa/+VJQk5hT6C/9Wu5VVYap7DjFLHRy4HCedUX844C8UAXsv3Z83peQzaW S1GlE7OQPl5yQrg5rgDl23SYPdlVAMoSfo6xmmXGLDT9ygRaW63P+UiYB8lP4s+H0/SX NVCnboQxi/WjwbUL1IGPvYyEA3MIf4d9lZ+lHDi1ATE+m0N1nUYtwd4zuQil7HY7uO5P Kk4yCx905I8OoytdctIxFYBkAG69IkCKoWT0K0Tu9Qwzt04F9SFjyfWyZjDVuLr6NabD +SYg== X-Gm-Message-State: AOJu0YyDb5sN/PdB6oOBfkQatO8x3PQX83s2XgmU61icyEGrzN/bA7Jy ZjoSh0MN3rolMJv7BBHFVi9CpjKxk0kaOgh3jtdOUft5gSmyLqs4EfripgtcQE5pGIr5XT/bxOH b X-Received: by 2002:a17:907:f75a:b0:a86:a90f:3025 with SMTP id a640c23a62f3a-a90480ce2a2mr1108324766b.59.1726480730636; Mon, 16 Sep 2024 02:58:50 -0700 (PDT) Received: from lino.lan ([85.235.12.238]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a906109662fsm292862966b.38.2024.09.16.02.58.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Sep 2024 02:58:49 -0700 (PDT) From: Linus Walleij Date: Mon, 16 Sep 2024 11:58:45 +0200 Subject: [PATCH v2 3/7] mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write MIME-Version: 1.0 Message-Id: <20240916-brcmnand-fixes-v2-3-08632f64c8ec@linaro.org> References: <20240916-brcmnand-fixes-v2-0-08632f64c8ec@linaro.org> In-Reply-To: <20240916-brcmnand-fixes-v2-0-08632f64c8ec@linaro.org> To: u-boot@lists.denx.de, Dario Binacchi , Michael Trimarchi , Anand Gore , William Zhang , Kursad Oney , Philippe Reynes Cc: Linus Walleij , Florian Fainelli , Miquel Raynal X-Mailer: b4 0.14.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: William Zhang Backport of upstream Linux commit 5d53244186c9ac58cb88d76a0958ca55b83a15cd "mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write" When the oob buffer length is not in multiple of words, the oob write function does out-of-bounds read on the oob source buffer at the last iteration. Fix that by always checking length limit on the oob buffer read and fill with 0xff when reaching the end of the buffer to the oob registers. Signed-off-by: William Zhang Reviewed-by: Florian Fainelli Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-5-william.zhang@broadcom.com Signed-off-by: Linus Walleij Reviewed-by: William Zhang --- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c index 46a4107a83a9..60d34bd21f53 100644 --- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c +++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c @@ -1334,19 +1334,33 @@ static int write_oob_to_regs(struct brcmnand_controller *ctrl, int i, const u8 *oob, int sas, int sector_1k) { int tbytes = sas << sector_1k; - int j; + int j, k = 0; + u32 last = 0xffffffff; + u8 *plast = (u8 *)&last; /* Adjust OOB values for 1K sector size */ if (sector_1k && (i & 0x01)) tbytes = max(0, tbytes - (int)ctrl->max_oob); tbytes = min_t(int, tbytes, ctrl->max_oob); - for (j = 0; j < tbytes; j += 4) + /* + * tbytes may not be multiple of words. Make sure we don't read out of + * the boundary and stop at last word. + */ + for (j = 0; (j + 3) < tbytes; j += 4) oob_reg_write(ctrl, j, (oob[j + 0] << 24) | (oob[j + 1] << 16) | (oob[j + 2] << 8) | (oob[j + 3] << 0)); + + /* handle the remaing bytes */ + while (j < tbytes) + plast[k++] = oob[j++]; + + if (tbytes & 0x3) + oob_reg_write(ctrl, (tbytes & ~0x3), (__force u32)cpu_to_be32(last)); + return tbytes; }