From: "Jernej Škrabec" <jernej.skrabec@gmail.com>
To: Yangtao Li <tiny.windzz@gmail.com>,
"Rafael J . Wysocki" <rafael@kernel.org>,
Viresh Kumar <viresh.kumar@linaro.org>,
Chen-Yu Tsai <wens@csie.org>,
Samuel Holland <samuel@sholland.org>,
Andre Przywara <andre.przywara@arm.com>
Cc: Brandon Cheo Fusi <fusibrandon13@gmail.com>,
linux-pm@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
linux-sunxi@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] cpufreq: sun50i: prevent out-of-bounds access
Date: Sat, 22 Mar 2025 08:38:39 +0100 [thread overview]
Message-ID: <2772067.mvXUDI8C0e@jernej-laptop> (raw)
In-Reply-To: <20250320155557.211211-1-andre.przywara@arm.com>
Dne četrtek, 20. marec 2025 ob 16:55:57 Srednjeevropski standardni čas je Andre Przywara napisal(a):
> A KASAN enabled kernel reports an out-of-bounds access when handling the
> nvmem cell in the sun50i cpufreq driver:
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in sun50i_cpufreq_nvmem_probe+0x180/0x3d4
> Read of size 4 at addr ffff000006bf31e0 by task kworker/u16:1/38
>
> This is because the DT specifies the nvmem cell as covering only two
> bytes, but we use a u32 pointer to read the value. DTs for other SoCs
> indeed specify 4 bytes, so we cannot just shorten the variable to a u16.
>
> Fortunately nvmem_cell_read() allows to return the length of the nvmem
> cell, in bytes, so we can use that information to only access the valid
> portion of the data.
> To cover multiple cell sizes, use memcpy() to copy the information into a
> zeroed u32 buffer, then also make sure we always read the data in little
> endian fashion, as this is how the data is stored in the SID efuses.
>
> Fixes: 6cc4bcceff9a ("cpufreq: sun50i: Refactor speed bin decoding")
> Reported-by: Jernej Skrabec <jernej.skrabec@gmail.com>
> Signed-off-by: Andre Przywara <andre.przywara@arm.com>
Thanks for fixing that!
Reviewed-by: Jernej Škrabec <jernej.skrabec@gmail.com>
Best regards,
Jernej
next prev parent reply other threads:[~2025-03-22 7:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-20 15:55 [PATCH] cpufreq: sun50i: prevent out-of-bounds access Andre Przywara
2025-03-22 7:38 ` Jernej Škrabec [this message]
2025-03-24 5:48 ` Viresh Kumar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2772067.mvXUDI8C0e@jernej-laptop \
--to=jernej.skrabec@gmail.com \
--cc=andre.przywara@arm.com \
--cc=fusibrandon13@gmail.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=linux-sunxi@lists.linux.dev \
--cc=rafael@kernel.org \
--cc=samuel@sholland.org \
--cc=tiny.windzz@gmail.com \
--cc=viresh.kumar@linaro.org \
--cc=wens@csie.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox