Re: [PATCH net-next v4 02/13] net: ethernet: oa_tc6: Handle the OA TC6 SPI protected mode

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:

Pre-existing issues:
- [High] The `size` parameter in `oa_tc6_check_ctrl_write_reply` is typed as `u8`, but it receives a calculated `u16` SPI transaction size from `oa_tc6_perform_ctrl`. This size can be up to 1032 bytes in protected mode or 520 bytes in unprotected mode. The truncation to `u8` causes integer underflow in the `memcmp` length calculation `size - OA_TC6_CTRL_IGNORED_SIZE` (where ignored size is 4). For example, a size of 256 (which occurs when writing exactly 31 registers in protected mode or 62 in unprotected mode) is truncated to 0, causing `0 - 4 = -4`. This negative value is cast to a massive `size_t` value, resulting in a severe out-of-bounds memory read.
--

commit f635b76e9df199f1fc90b685521cd415a107c2a3
Author: Ciprian Regus <ciprian.regus@analog.com>

net: ethernet: oa_tc6: Handle the OA TC6 SPI protected mode

This commit implements the OA TC6 standard protected mode for control
transactions. It adds support for including 1's complement values of the
data field in SPI transfer frames, which acts as an integrity check.

> diff --git a/drivers/net/ethernet/oa_tc6.c b/drivers/net/ethernet/oa_tc6.c
> --- a/drivers/net/ethernet/oa_tc6.c
> +++ b/drivers/net/ethernet/oa_tc6.c
[ ... ]
> @@ -283,10 +320,10 @@ static int oa_tc6_perform_ctrl(struct oa_tc6 *tc6, u32 address, u32 value[],
>  	u16 size;
>  	int ret;
>  
> -	/* Prepare control command and copy to SPI control buffer */
> -	oa_tc6_prepare_ctrl_spi_buf(tc6, address, value, length, reg_op);
> +	size = oa_tc6_calculate_ctrl_buf_size(length, tc6->prot_ctrl);
[ ... ]
>  	/* Check echoed/received control write command reply for errors */
>  	if (reg_op == OA_TC6_CTRL_REG_WRITE)
>  		return oa_tc6_check_ctrl_write_reply(tc6, size);

[Severity: High]
This isn't a bug introduced by this patch, but could this lead to an out of
bounds memory access when the size gets truncated?

Looking at oa_tc6_check_ctrl_write_reply(), the size parameter is typed
as u8:

static int oa_tc6_check_ctrl_write_reply(struct oa_tc6 *tc6, u8 size)
{
	...
	if (memcmp(tx_buf, rx_buf, size - OA_TC6_CTRL_IGNORED_SIZE))
	...
}

Since oa_tc6_perform_ctrl() calculates a u16 size (which can be up to 1032
bytes in protected mode or 520 bytes in unprotected mode), passing it to a
function expecting a u8 will truncate the value.

If the truncated size is less than OA_TC6_CTRL_IGNORED_SIZE (which is 4),
for example if the original size is exactly 256, wouldn't the subtraction
underflow?

This would pass a massive size_t value to memcmp() and cause an out of
bounds read on the spi_ctrl_tx_buf and spi_ctrl_rx_buf buffers.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260609-adin1140-driver-v4-0-0753e28ee004@analog.com?part=2