From: Jennifer Berringer <jberring@redhat.com>
To: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>,
Sebastian Reichel <sre@kernel.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Maxime Ripard <mripard@kernel.org>
Cc: linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org,
Jennifer Berringer <jberring@redhat.com>
Subject: [PATCH v3 0/3] nvmem: fix out-of-bounds reboot-mode write
Date: Mon, 4 Nov 2024 10:23:09 -0500 [thread overview]
Message-ID: <20241104152312.3813601-1-jberring@redhat.com> (raw)
Hi all,
These patches fix a small out-of-bounds write when using the
nvmem-reboot-mode driver on Qualcomm SA8775P, such as by executing
"reboot bootloader" in a shell. Relevant error log:
BUG: KASAN: slab-out-of-bounds in nvmem_cell_prepare_write_buffer+0x144/0x47c
Write of size 4 at addr ffff19dd8e1a37a0 by task systemd-shutdow/1
Hardware name: Qualcomm SA8775P Ride (DT)
Call trace:
nvmem_cell_prepare_write_buffer
nvmem_cell_write
nvmem_reboot_mode_write
The buggy address is located 0 bytes inside of
allocated 1-byte region
This problem manifested because the devicetree file sa8775p-pmics.dtsi
specifies its reboot-mode cell with "reg = <0x48 0x1>" and so expects
the reboot mode write to only be 1 byte rather than 4. Other in-tree
devicetrees that seem likely affected include pmk8350 and pmk8550.
These changes add the missing bounds check to nvmem_cell_write and make
nvmem-reboot-mode able to only write as many bytes as it needs to.
v2:
- Added missing function definition for CONFIG_NVMEM=n
v3:
- Accepted suggestion for changing nvmem_cell_write bounds check
---
Jennifer Berringer (3):
nvmem: core: improve range check for nvmem_cell_write()
nvmem: core: add nvmem_cell_write_variable_u32()
power: reset: nvmem-reboot-mode: fix write for small cells
drivers/nvmem/core.c | 26 +++++++++++++++++++++++++
drivers/power/reset/nvmem-reboot-mode.c | 2 +-
include/linux/nvmem-consumer.h | 6 ++++++
3 files changed, 33 insertions(+), 1 deletion(-)
base-commit: 98f7e32f20d28ec452afb208f9cffc08448a2652
--
2.46.2
next reply other threads:[~2024-11-04 15:24 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-04 15:23 Jennifer Berringer [this message]
2024-11-04 15:23 ` [PATCH v3 1/3] nvmem: core: improve range check for nvmem_cell_write() Jennifer Berringer
2024-11-04 15:23 ` [PATCH v3 2/3] nvmem: core: add nvmem_cell_write_variable_u32() Jennifer Berringer
2024-12-14 15:07 ` Srinivas Kandagatla
2024-12-20 19:39 ` Jennifer Berringer
2024-12-30 13:50 ` Srinivas Kandagatla
2024-11-04 15:23 ` [PATCH v3 3/3] power: reset: nvmem-reboot-mode: fix write for small cells Jennifer Berringer
2024-11-11 22:07 ` Sebastian Reichel
2024-12-20 16:48 ` (subset) [PATCH v3 0/3] nvmem: fix out-of-bounds reboot-mode write Srinivas Kandagatla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241104152312.3813601-1-jberring@redhat.com \
--to=jberring@redhat.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-pm@vger.kernel.org \
--cc=mripard@kernel.org \
--cc=sre@kernel.org \
--cc=srinivas.kandagatla@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox