From: Jennifer Berringer <jberring@redhat.com>
To: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
Sebastian Reichel <sre@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Maxime Ripard <mripard@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org,
Jennifer Berringer <jberring@redhat.com>
Subject: [PATCH v2 0/3] nvmem: fix out-of-bounds write
Date: Thu, 24 Oct 2024 11:40:47 -0400 [thread overview]
Message-ID: <20241024154050.3245228-1-jberring@redhat.com> (raw)
Hi all,
These patches fix a small out-of-bounds write when using the
nvmem-reboot-mode driver on Qualcomm SA8775P, such as by executing
"reboot bootloader" in a shell. Relevant error log:
BUG: KASAN: slab-out-of-bounds in nvmem_cell_prepare_write_buffer+0x144/0x47c
Write of size 4 at addr ffff19dd8e1a37a0 by task systemd-shutdow/1
Hardware name: Qualcomm SA8775P Ride (DT)
Call trace:
nvmem_cell_prepare_write_buffer
nvmem_cell_write
nvmem_reboot_mode_write
The buggy address is located 0 bytes inside of
allocated 1-byte region
This problem manifested because the devicetree file sa8775p-pmics.dtsi
specifies its reboot-mode cell with "reg = <0x48 0x1>" and so expects
the reboot mode write to only be 1 byte rather than 4. Other in-tree
devicetrees that seem likely affected include pmk8350 and pmk8550.
These changes add the missing bounds check to nvmem_cell_write and make
nvmem-reboot-mode able to only write as many bytes as it needs to.
v2:
- Added missing function definition for CONFIG_NVMEM=n
---
Jennifer Berringer (3):
nvmem: core: improve range check for nvmem_cell_write()
nvmem: core: add nvmem_cell_write_variable_u32()
power: reset: nvmem-reboot-mode: fix write for small cells
drivers/nvmem/core.c | 31 +++++++++++++++++++++++--
drivers/power/reset/nvmem-reboot-mode.c | 2 +-
include/linux/nvmem-consumer.h | 6 +++++
3 files changed, 36 insertions(+), 3 deletions(-)
base-commit: 98f7e32f20d28ec452afb208f9cffc08448a2652
--
2.46.2
next reply other threads:[~2024-10-24 15:41 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-24 15:40 Jennifer Berringer [this message]
2024-10-24 15:40 ` [PATCH v2 1/3] nvmem: core: improve range check for nvmem_cell_write() Jennifer Berringer
2024-10-29 17:55 ` Srinivas Kandagatla
2024-10-29 21:31 ` Jennifer Berringer
2024-10-30 11:43 ` Srinivas Kandagatla
2024-10-24 15:40 ` [PATCH v2 2/3] nvmem: core: add nvmem_cell_write_variable_u32() Jennifer Berringer
2024-10-24 15:40 ` [PATCH v2 3/3] power: reset: nvmem-reboot-mode: fix write for small cells Jennifer Berringer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241024154050.3245228-1-jberring@redhat.com \
--to=jberring@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=mripard@kernel.org \
--cc=sre@kernel.org \
--cc=srinivas.kandagatla@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.