From patchwork Wed Sep 11 07:11:14 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Linus Walleij X-Patchwork-Id: 827367 Delivered-To: patch@linaro.org Received: by 2002:adf:ab1c:0:b0:367:895a:4699 with SMTP id q28csp663828wrc; Wed, 11 Sep 2024 00:12:05 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX+ris/OizfO63fd7mpLW9LL3UXU2RvyaEEFIU6ukn6UiEmAtR7MgxVxo5BeNKDNshaXJgYog==@linaro.org X-Google-Smtp-Source: AGHT+IHPUUzOneW/GGWals8Vvd3vwWPBFcuXT7iDt3oecFn0ekG7csWjxjnCWs94Uc2EiUYHbNK1 X-Received: by 2002:a5d:658f:0:b0:374:bd01:707c with SMTP id ffacd0b85a97d-3789243fd50mr10996516f8f.48.1726038725306; Wed, 11 Sep 2024 00:12:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726038725; cv=none; d=google.com; s=arc-20240605; b=OVFgPyG6v1qmZC+NNqOU1s7K9+UCaHFU/4JuBS+Pi1Dnlg10rAjZaKO0D+JhLqWtHQ 7DLA1q9K+32v63jpDlxLbGawDWShqUsYyXvWANulXiMnp7dNFv9fTo8DOBxKlhFVhGHt Xf5znkfkoQYqtexhDDZ1LGSZQIgNSRw1FAGeDMBI5GpQ7u8eHLjaK5J8tmwmSRbYRY7i 39vTb0CKgT3zxoRi+Rn7LUisawre0uB1Bj3GbBB44n0n2vKYwhyfg/ZI1hJn7ZdNrVtF K0sf1ZZ7gpZvma3iCcxhxFntY2NtI8hIisDHxjdZv0DQQuEal7oI2l0xPM+BIVRmlW67 Fojw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:cc:to:in-reply-to:references :message-id:content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=EvEkZF2r2AqggnLWTgwzPhL/JoYelLUDEL1aq/7CH+o=; fh=bbSjVJcsz6ma3Arirz+KWNos93PEC62yDVUDN8y6koA=; b=PmeJMJ0YiCRBj8E/4rBBxlMMJxECv6H7R7DMBf91ezHV/GltJIFYUMjOImchiE8VJp WiNRk7UUzwCpVXzvdLHRpudyLByD30I60cf73v5Lgk4E/Y/yd8X9l05tI0SQFxqNb2Oq mx+F6ps6uVb366bD8fh7U790yWFpJQVA9RWHyF1pOy/kQODYDkpEHlwOwu6RfCUZ4ozI Xi9vT3DpbZDp3er+WE8nsLFbf99/6VPbsVw7RjkM41vpmWmOdqRNpSbiXK4Ae2lJCd4x xd7YlrtrKNqoVKquuT9+NSvAB1gwkPHocQhARY0gxMDg0RQ82SwHT8qJg7ZVB/lqIGz2 f8dw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="GGucw/+E"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id ffacd0b85a97d-378956d902esi3832951f8f.1003.2024.09.11.00.12.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Sep 2024 00:12:05 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="GGucw/+E"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B5FAD891ED; Wed, 11 Sep 2024 09:11:38 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="GGucw/+E"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3E11D88D17; Wed, 11 Sep 2024 09:11:37 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E1BE9891CA for ; Wed, 11 Sep 2024 09:11:34 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=linus.walleij@linaro.org Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-5365a9574b6so7432270e87.1 for ; Wed, 11 Sep 2024 00:11:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1726038694; x=1726643494; darn=lists.denx.de; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=EvEkZF2r2AqggnLWTgwzPhL/JoYelLUDEL1aq/7CH+o=; b=GGucw/+EDKFZ0daQCNxvIhDG+Cn5Q3v0LNMCsd4rYYxFv4zPS0OGALL/m7IRoj/rpp xmVm+lqLU0aUHON8AM+WAiHdEDQsCDRFgZ43AXt+CVcmINjDv+H9cxZdmSi1QTDXeG+M 9diqiWviT/DJqZ51HkwTsneGWfqFh6iipwnsfRhofkiztdgLR0W+zuIjUKjef83GQXAD Us/LLi0PJgYKhG2rmjVU/4vRMrKOI3pq9y4UKdQEEROTYjfE+pmjefKWAuSOI54bolh/ IGwo2dBL4HmW8UkUVdnlG/93OgpfzTVQ9fzeqSwwWk1u20gjvtr+kw2Fx4/R8OR7UvjJ 4YvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726038694; x=1726643494; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EvEkZF2r2AqggnLWTgwzPhL/JoYelLUDEL1aq/7CH+o=; b=puklRy/Vp3U5aQx6dHpBPZXS98+NWSHJ5E9QJyTzIko3YAl9Ka4vLG304lUqeYrob3 yzy7etAQJUhpSDpgUGI/rgQM754rH5uv61H//1XwgY6AGYC5Psya3g0853eF6PFlTBjt BJ5O/MnXD+3FhIs6B2OlT4A8GnaisMSn56asn1YtEnh6/5ZIIkCYmg9TDM2MbMrjGNCj SElQkmyqlDZgKAkFX/P4Vs7iHwWorpiBLgLejqisAoMOMz8wH+VR0p5K44YAigPGtwku pDbmLCSLRHSVfVxAeeQWYcvh5XOtxaq6PK91XornPeaQbfAc3BjELidOrsQZEKQwCLUX djMQ== X-Gm-Message-State: AOJu0YwibC9ZfxsMM+QSbp7txc/aqPuVKsaksDzXlwHp2X5nMcAiNdwT /KNQnkvmLRgC3GJ5ZxGkRGWrar8Sf4P0oZNTQnyNBIa83jnvgzxl1eAvkp2Mw+0aXLIol8yxF7A f X-Received: by 2002:a05:6512:33c8:b0:535:6aa8:dc49 with SMTP id 2adb3069b0e04-536587a672emr14143652e87.9.1726038694002; Wed, 11 Sep 2024 00:11:34 -0700 (PDT) Received: from lino.lan ([85.235.12.238]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8d25926ee8sm580523866b.50.2024.09.11.00.11.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 11 Sep 2024 00:11:32 -0700 (PDT) From: Linus Walleij Date: Wed, 11 Sep 2024 09:11:14 +0200 Subject: [PATCH 3/7] mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write MIME-Version: 1.0 Message-Id: <20240911-brcmnand-fixes-v1-3-be112a20aaf1@linaro.org> References: <20240911-brcmnand-fixes-v1-0-be112a20aaf1@linaro.org> In-Reply-To: <20240911-brcmnand-fixes-v1-0-be112a20aaf1@linaro.org> To: u-boot@lists.denx.de, Dario Binacchi , Michael Trimarchi , Anand Gore , William Zhang , Kursad Oney , Philippe Reynes Cc: Linus Walleij , Florian Fainelli , Miquel Raynal X-Mailer: b4 0.14.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: William Zhang Backport of upstream Linux commit 5d53244186c9ac58cb88d76a0958ca55b83a15cd "mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write" When the oob buffer length is not in multiple of words, the oob write function does out-of-bounds read on the oob source buffer at the last iteration. Fix that by always checking length limit on the oob buffer read and fill with 0xff when reaching the end of the buffer to the oob registers. Signed-off-by: William Zhang Reviewed-by: Florian Fainelli Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-5-william.zhang@broadcom.com Signed-off-by: Linus Walleij --- drivers/mtd/nand/raw/brcmnand/brcmnand.c | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/nand/raw/brcmnand/brcmnand.c b/drivers/mtd/nand/raw/brcmnand/brcmnand.c index 46a4107a83a9..60d34bd21f53 100644 --- a/drivers/mtd/nand/raw/brcmnand/brcmnand.c +++ b/drivers/mtd/nand/raw/brcmnand/brcmnand.c @@ -1334,19 +1334,33 @@ static int write_oob_to_regs(struct brcmnand_controller *ctrl, int i, const u8 *oob, int sas, int sector_1k) { int tbytes = sas << sector_1k; - int j; + int j, k = 0; + u32 last = 0xffffffff; + u8 *plast = (u8 *)&last; /* Adjust OOB values for 1K sector size */ if (sector_1k && (i & 0x01)) tbytes = max(0, tbytes - (int)ctrl->max_oob); tbytes = min_t(int, tbytes, ctrl->max_oob); - for (j = 0; j < tbytes; j += 4) + /* + * tbytes may not be multiple of words. Make sure we don't read out of + * the boundary and stop at last word. + */ + for (j = 0; (j + 3) < tbytes; j += 4) oob_reg_write(ctrl, j, (oob[j + 0] << 24) | (oob[j + 1] << 16) | (oob[j + 2] << 8) | (oob[j + 3] << 0)); + + /* handle the remaing bytes */ + while (j < tbytes) + plast[k++] = oob[j++]; + + if (tbytes & 0x3) + oob_reg_write(ctrl, (tbytes & ~0x3), (__force u32)cpu_to_be32(last)); + return tbytes; }