Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2177516pxj; Sun, 16 May 2021 17:27:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz0bwvg0UM5MBGnWzc3blZueZEqSV7iSpQD/9zp8A00zk/VyofXLTQHfIK0J8ADFHpbjHxC X-Received: by 2002:a05:6e02:1bc3:: with SMTP id x3mr49269391ilv.47.1621211251132; Sun, 16 May 2021 17:27:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621211251; cv=none; d=google.com; s=arc-20160816; b=kgPv+fIeM8fvQGmEtsYB7AisxkWzT4AxLu+XoESNQIshZGgYPHlGX2yqUG5lpQXotV F4JkH3n60QGgRTGAJY3XZTO0N34hCyP0bkwV+b2JyEKxMyWSl6VPpOaCsLCHb1iZLdBT MuuS0LCfLf9nc6Vukmg59j3Xz6dtuqw3SADSCOCRfKjIJoQLabapbkF1NfeuS9Xfvzrk CpxjwM82jGIcG5Gko2Ac9Kz1OJVehiRGf6E0e7306WmM1laR9aDyDRiiIbqoSzP3mKcw pWultwL22BPlmQjMM6v2xPG/9/J3sSURBbgqFBxPSlgXMqNxKqiZjcvciEy6UMMUb7mH CvMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=JLtHNprH+2+Yb1KQ+7uYDFIqV3gS7V7wkmiTFMdWwnM=; b=WnZ1LXRAJOYRhrAxKwvF3ezW8jOPSzXP4RQRAIoHaFkJ/bPTQfrlqMcfGnd7ak1Hbf VQMdSIut75LstaFQ/d8tC23SnqdLA7TILlm60ytJAh91JuzrpQlGhlEVgYCcsDHktUCW Sa8Wh3sNsuom9i0LWSSFAcEUFm3a2CKoZqcl1s1pJmloNNFFORnoENOLCCECPOjFUz9Y Q6ssk0yv05wES+QAp/YaenDep+3tXmy7RtUgztr4qH9/BiFqEibAnsbvfUkAAdFkXQy4 ttCryFO6XoZq+im8xaxb1lNwcVDoY54PRa99Kuz+AQrYD20bQy4m7mc4H1a5/Wctrlva 1zkg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i25si16364554ila.96.2021.05.16.17.27.19; Sun, 16 May 2021 17:27:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233582AbhEPUfk (ORCPT + 99 others); Sun, 16 May 2021 16:35:40 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:58196 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231145AbhEPUfk (ORCPT ); Sun, 16 May 2021 16:35:40 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id C8A701C0B76; Sun, 16 May 2021 22:34:23 +0200 (CEST) Date: Sun, 16 May 2021 22:34:23 +0200 From: Pavel Machek To: Greg Kroah-Hartman Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Quanyang Wang , Mark Brown , Sasha Levin Subject: Re: [PATCH 5.10 264/530] spi: spi-zynqmp-gqspi: fix use-after-free in zynqmp_qspi_exec_op Message-ID: <20210516203423.GA11471@duo.ucw.cz> References: <20210512144819.664462530@linuxfoundation.org> <20210512144828.501430855@linuxfoundation.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2oS5YaxWCcQjTEyO" Content-Disposition: inline In-Reply-To: <20210512144828.501430855@linuxfoundation.org> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --2oS5YaxWCcQjTEyO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > When handling op->addr, it is using the buffer "tmpbuf" which has been > freed. This will trigger a use-after-free KASAN warning. Let's use > temporary variables to store op->addr.val and op->cmd.opcode to fix > this issue. I believe this is "cure worse than a disassease". > +++ b/drivers/spi/spi-zynqmp-gqspi.c > @@ -926,8 +926,9 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem, > struct zynqmp_qspi *xqspi =3D spi_controller_get_devdata > (mem->spi->master); > int err =3D 0, i; > - u8 *tmpbuf; > u32 genfifoentry =3D 0; > + u16 opcode =3D op->cmd.opcode; > + u64 opaddr; > =20 > dev_dbg(xqspi->dev, "cmd:%#x mode:%d.%d.%d.%d\n", > op->cmd.opcode, op->cmd.buswidth, op->addr.buswidth, > @@ -940,14 +941,8 @@ static int zynqmp_qspi_exec_op(struct spi_mem *mem, > genfifoentry |=3D xqspi->genfifobus; > =20 > if (op->cmd.opcode) { > - tmpbuf =3D kzalloc(op->cmd.nbytes, GFP_KERNEL | GFP_DMA); > - if (!tmpbuf) { > - mutex_unlock(&xqspi->op_lock); > - return -ENOMEM; > - } > - tmpbuf[0] =3D op->cmd.opcode; > reinit_completion(&xqspi->data_completion); > - xqspi->txbuf =3D tmpbuf; > + xqspi->txbuf =3D &opcode; > xqspi->rxbuf =3D NULL; > xqspi->bytes_to_transfer =3D op->cmd.nbytes; > xqspi->bytes_to_receive =3D 0; So this replaces "op->cmd.nbytes" bytes big DMA buffer with 2 bytes on stack. First, if op->cmd.nbytes is > 2, DMA will overrun that buffer. That can't be healthy. Second, you really should not run DMA from on-stack buffers. Best regards, Pavel --=20 DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany --2oS5YaxWCcQjTEyO Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCYKGBzwAKCRAw5/Bqldv6 8oRmAJ0QR2fc6gdv0wUf2oW8V3UMti2jEACeMUf6pCWcXdxiO3mwhajM0k6zdV8= =yrfb -----END PGP SIGNATURE----- --2oS5YaxWCcQjTEyO--