* [PATCH v2 0/9] serial: Fix out-of-bounds accesses through DT aliases
@ 2018-02-23 13:38 Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 4/9] serial: mxs-auart: Fix out-of-bounds access through serial port index Geert Uytterhoeven
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2018-02-23 13:38 UTC (permalink / raw)
To: linux-snps-arc
Hi all,
Serial drivers used on DT platforms use the "serialN" alias in DT to
obtain the serial port index for a specific port. Drivers typically use
a fixed-size array for keeping track of all available serial ports.
However, several drivers do not perform any validation on the index
obtained from DT, which may lead to out-of-bounds accesses of these
fixed-size arrays.
While the DTB passed to the kernel might be considered trusted, some of
these out-of-bounds accesses can be triggered by a legitimate DTB:
- In some drivers the size of the array is defined by a Kconfig
symbol, so a user who doesn't need all serial ports may lower this
value rightfully,
- Tomorrow's new SoC may have more serial ports than the fixed-size
array in today's driver can accommodate, which the user may forget
to enlarge.
Hence this series fixes that by adding checks for out-of-range aliases,
logging an error message when triggered.
Changes compared to v1:
- Fix Fixes references,
- Use ARRAY_SIZE(),
- Fix off-by-one error in patch [5/9],
- Document where the non-DT case is also fixed by a patch.
Tested on r8a7791/koelsch (sh-sci), all other drivers were
compile-tested only.
Thanks for your comments!
Geert Uytterhoeven (9):
serial: arc_uart: Fix out-of-bounds access through DT alias
serial: fsl_lpuart: Fix out-of-bounds access through DT alias
serial: imx: Fix out-of-bounds access through serial port index
serial: mxs-auart: Fix out-of-bounds access through serial port index
serial: pxa: Fix out-of-bounds access through serial port index
serial: samsung: Fix out-of-bounds access through serial port index
serial: sh-sci: Fix out-of-bounds access through DT alias
serial: sirf: Fix out-of-bounds access through DT alias
serial: xuartps: Fix out-of-bounds access through DT alias
drivers/tty/serial/arc_uart.c | 5 +++++
drivers/tty/serial/fsl_lpuart.c | 4 ++++
drivers/tty/serial/imx.c | 6 ++++++
drivers/tty/serial/mxs-auart.c | 4 ++++
drivers/tty/serial/pxa.c | 4 ++++
drivers/tty/serial/samsung.c | 4 ++++
drivers/tty/serial/sh-sci.c | 4 ++++
drivers/tty/serial/sirfsoc_uart.c | 5 +++++
drivers/tty/serial/xilinx_uartps.c | 2 +-
9 files changed, 37 insertions(+), 1 deletion(-)
--
2.7.4
Gr{oetje,eeting}s,
Geert
--
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert at linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 4/9] serial: mxs-auart: Fix out-of-bounds access through serial port index
2018-02-23 13:38 [PATCH v2 0/9] serial: Fix out-of-bounds accesses through DT aliases Geert Uytterhoeven
@ 2018-02-23 13:38 ` Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 7/9] serial: sh-sci: Fix out-of-bounds access through DT alias Geert Uytterhoeven
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2018-02-23 13:38 UTC (permalink / raw)
To: linux-snps-arc
The auart_port[] array is indexed using a value derived from the
"serialN" alias in DT, or from platform data, which may lead to an
out-of-bounds access.
Fix this by adding a range check.
Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing")
Signed-off-by: Geert Uytterhoeven <geert+renesas at glider.be>
---
v2:
- Fix Fixes reference,
- Use ARRAY_SIZE(),
- Update patch description for platform data.
---
drivers/tty/serial/mxs-auart.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/serial/mxs-auart.c b/drivers/tty/serial/mxs-auart.c
index 079dc47aa142d8e1..caa8a41b6e71df9e 100644
--- a/drivers/tty/serial/mxs-auart.c
+++ b/drivers/tty/serial/mxs-auart.c
@@ -1663,6 +1663,10 @@ static int mxs_auart_probe(struct platform_device *pdev)
s->port.line = pdev->id < 0 ? 0 : pdev->id;
else if (ret < 0)
return ret;
+ if (s->port.line >= ARRAY_SIZE(auart_port)) {
+ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line);
+ return -EINVAL;
+ }
if (of_id) {
pdev->id_entry = of_id->data;
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2 7/9] serial: sh-sci: Fix out-of-bounds access through DT alias
2018-02-23 13:38 [PATCH v2 0/9] serial: Fix out-of-bounds accesses through DT aliases Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 4/9] serial: mxs-auart: Fix out-of-bounds access through serial port index Geert Uytterhoeven
@ 2018-02-23 13:38 ` Geert Uytterhoeven
[not found] ` <1519393117-31998-10-git-send-email-geert+renesas@glider.be>
[not found] ` <1519393117-31998-4-git-send-email-geert+renesas@glider.be>
3 siblings, 0 replies; 5+ messages in thread
From: Geert Uytterhoeven @ 2018-02-23 13:38 UTC (permalink / raw)
To: linux-snps-arc
The sci_ports[] array is indexed using a value derived from the
"serialN" alias in DT, which may lead to an out-of-bounds access.
Fix this by adding a range check.
Note that the array size is defined by a Kconfig symbol
(CONFIG_SERIAL_SH_SCI_NR_UARTS), so this can even be triggered using a
legitimate DTB.
Fixes: 97ed9790c514066b ("serial: sh-sci: Remove unused platform data capabilities field")
Signed-off-by: Geert Uytterhoeven <geert+renesas at glider.be>
---
v2:
- Fix Fixes reference,
- Use ARRAY_SIZE().
---
drivers/tty/serial/sh-sci.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
index 4d14f321cbec95e0..f6a6610d434efc33 100644
--- a/drivers/tty/serial/sh-sci.c
+++ b/drivers/tty/serial/sh-sci.c
@@ -3096,6 +3096,10 @@ static struct plat_sci_port *sci_parse_dt(struct platform_device *pdev,
dev_err(&pdev->dev, "failed to get alias id (%d)\n", id);
return NULL;
}
+ if (id >= ARRAY_SIZE(sci_ports)) {
+ dev_err(&pdev->dev, "serial%d out of range\n", id);
+ return NULL;
+ }
sp = &sci_ports[id];
*dev_id = id;
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v2 9/9] serial: xuartps: Fix out-of-bounds access through DT alias
[not found] ` <1519393117-31998-10-git-send-email-geert+renesas@glider.be>
@ 2018-02-23 13:41 ` Michal Simek
0 siblings, 0 replies; 5+ messages in thread
From: Michal Simek @ 2018-02-23 13:41 UTC (permalink / raw)
To: linux-snps-arc
On 23.2.2018 14:38, Geert Uytterhoeven wrote:
> The cdns_uart_port[] array is indexed using a value derived from the
> "serialN" alias in DT, which may lead to an out-of-bounds access.
>
> Fix this by adding a range check.
>
> Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases")
> Signed-off-by: Geert Uytterhoeven <geert+renesas at glider.be>
> ---
> v2:
> - Fix Fixes reference.
> ---
> drivers/tty/serial/xilinx_uartps.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c
> index b9b2bc76bcac606c..abcb4d09a2d866d0 100644
> --- a/drivers/tty/serial/xilinx_uartps.c
> +++ b/drivers/tty/serial/xilinx_uartps.c
> @@ -1110,7 +1110,7 @@ static struct uart_port *cdns_uart_get_port(int id)
> struct uart_port *port;
>
> /* Try the given port id if failed use default method */
> - if (cdns_uart_port[id].mapbase != 0) {
> + if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) {
> /* Find the next unused port */
> for (id = 0; id < CDNS_UART_NR_PORTS; id++)
> if (cdns_uart_port[id].mapbase == 0)
>
Reviewed-by: Michal Simek <michal.simek at xilinx.com>
Thanks,
Michal
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 3/9] serial: imx: Fix out-of-bounds access through serial port index
[not found] ` <1519393117-31998-4-git-send-email-geert+renesas@glider.be>
@ 2018-02-23 13:51 ` Uwe Kleine-König
0 siblings, 0 replies; 5+ messages in thread
From: Uwe Kleine-König @ 2018-02-23 13:51 UTC (permalink / raw)
To: linux-snps-arc
On Fri, Feb 23, 2018@02:38:31PM +0100, Geert Uytterhoeven wrote:
> The imx_ports[] array is indexed using a value derived from the
> "serialN" alias in DT, or from platform data, which may lead to an
> out-of-bounds access.
>
> Fix this by adding a range check.
>
> Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back")
> Signed-off-by: Geert Uytterhoeven <geert+renesas at glider.be>
Reviewed-by: Uwe Kleine-K?nig <u.kleine-koenig at pengutronix.de>
Thanks for your time
Uwe
--
Pengutronix e.K. | Uwe Kleine-K?nig |
Industrial Linux Solutions | http://www.pengutronix.de/ |
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-02-23 13:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-23 13:38 [PATCH v2 0/9] serial: Fix out-of-bounds accesses through DT aliases Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 4/9] serial: mxs-auart: Fix out-of-bounds access through serial port index Geert Uytterhoeven
2018-02-23 13:38 ` [PATCH v2 7/9] serial: sh-sci: Fix out-of-bounds access through DT alias Geert Uytterhoeven
[not found] ` <1519393117-31998-10-git-send-email-geert+renesas@glider.be>
2018-02-23 13:41 ` [PATCH v2 9/9] serial: xuartps: " Michal Simek
[not found] ` <1519393117-31998-4-git-send-email-geert+renesas@glider.be>
2018-02-23 13:51 ` [PATCH v2 3/9] serial: imx: Fix out-of-bounds access through serial port index Uwe Kleine-König
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).