Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp2511689rdg; Mon, 16 Oct 2023 06:50:33 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGGHIKeHgDkBF61JehcEtnC+ucz9DgzfCL/H0xYtnNPm8MKIwUJUObjdV732vZvvhWKmTTT X-Received: by 2002:aa7:88d4:0:b0:6be:5367:211b with SMTP id k20-20020aa788d4000000b006be5367211bmr715988pff.3.1697464233176; Mon, 16 Oct 2023 06:50:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697464233; cv=none; d=google.com; s=arc-20160816; b=vhP3JLm1iE/edfIUml6gUE4Bl/rLPrMDOyq/zbysHNZoaJ6OFvoisKJirDDsW2jlfU Q3DVN6MHQBrTJBfg6csjfpgnAgDcW62iXE1Fll5z9bKdxpUdyZ9gQGZ6EqTnWZxIwN0V Mpi4wO0oCrzfR8V1VB6EKc6BoZzqZKL+04+Os6st6esWRZMAVen7gEPZGoELNIkXWebE coPK3UK02U1K0cuvk9sGR6k3lC8w/4DV/VLfblb+55soyvJ8Ng1YZF40InoTb4scpizU xfBOk9zmIg1SS7RtssiAD6wiviYcYz3vujpuGdihxfomgv5zat8wztdSPnq8lp0qvAB3 9fLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=ZZurGwQcOXzRVXvE5dz9IMiQTTPfNEfxXKroPgnMl1w=; fh=A1NBy0HL6Lmh3i4j9j60FMTqGnvxft+kJyZQkJrmOr4=; b=0ddkNok5tJ/GW1tQblvc4DXXX/zH4r3BGI8SoK1vCdgkiprSHI6aJTzM6kicG0QTcx E5TxggFMHum+d8BjcHywPlHexEGCvUpIRJTdboeA97Ybtnr392MDC9CcBzAU28Bxh+PJ 2Jp7+u2yS3qD0RSkOHE1ZKzFb0gAbYqIYSwpmbwWFsFbJAcNtxiVo8gQjoRj4M7dfEhc PdSTELt7NxWr2usYtvhSYZdG9YeROCxCEmQHe1olYsIn6rVmooHeluWshTzdkb+Db/9U WZqIOKqgsboCdjLgJgJROeE2VYdXaOl1PCv4tUnbIFstPKEwKefUjUGs8MpFqVMxR7ac 9rQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FVU7J7Wm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id y193-20020a638aca000000b005653e3f6d58si6055450pgd.748.2023.10.16.06.50.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 16 Oct 2023 06:50:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=FVU7J7Wm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 37CB480697F5; Mon, 16 Oct 2023 06:50:16 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233687AbjJPNuE (ORCPT + 99 others); Mon, 16 Oct 2023 09:50:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48990 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234200AbjJPNtn (ORCPT ); Mon, 16 Oct 2023 09:49:43 -0400 Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 045A1111 for ; Mon, 16 Oct 2023 06:49:07 -0700 (PDT) Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-53dd752685fso7918775a12.3 for ; Mon, 16 Oct 2023 06:49:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1697464145; x=1698068945; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZZurGwQcOXzRVXvE5dz9IMiQTTPfNEfxXKroPgnMl1w=; b=FVU7J7Wmy0vyGXPq3fGgMS8f18U0vfjdePks2ETAiqdDLgJEllHdMtATgxPw2EvzZ/ IXvYg1tFSl2BVVZO25vSPCjlr2uYFARQgAbuGlS5vUKKtJe+cIjWxtqCZ8qFcTN2TjNu oHIzuztzro/RqMDo0U4me8PUoYDQvQW1wH0T/P/+K0kllITzr63hD5cewE0Eiqbdne87 sLISDMr97gbf1H+dzFzMto5IWxbIFF9fv9dZ6V4f+K4VDxsHxNYfbrS+v6WENzVi8wxU FjtVrJBXys2o6d21nFyz1nfG4s1MCtQ7TBNVuOfuGH0iKHK2iImVmjLK6VsDkdKBORWA xmzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697464145; x=1698068945; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=ZZurGwQcOXzRVXvE5dz9IMiQTTPfNEfxXKroPgnMl1w=; b=tOyZXs3nTSIPn1SOrAtx6xywDo8aPLo1rtUUFNwWEyAs5onJDuaUwZRQBc67cviFlZ WQ4TUpIKrFWdqXjhaug2mbWDWq2HCvxtvkKxi/Bg3uAFhtVUmj5kKoUYX8zNHlJsS7CJ df3o4YIFutYEvJOVUvhT0J8Goi05GMPmx5ZprQI+BaZTdZPczwBfIgKHl2kSX83kdPVS nn+L8vr9Tm1lyNuAl+7TnNj9q7cBiAF602ol5LalaERaOBzljELITw0KNJxwSmClPBI7 xESY0EFFvo4m6QZNCU7as6Dpo/ftz8bPu355Wz2+cnqufOe8QBSGmq/s2G/HJFxpdxTn t5Vw== X-Gm-Message-State: AOJu0YzHof8gCvSlWpToP6su0GbbXz92YjorqChbGS+0pXuPXRUP3r8W rYq+fag0S6ETNxq+1NsDgk8ZryE5wcCivv49Y+oUVw== X-Received: by 2002:a05:6402:4308:b0:53d:983c:2672 with SMTP id m8-20020a056402430800b0053d983c2672mr18176063edc.38.1697464145413; Mon, 16 Oct 2023 06:49:05 -0700 (PDT) MIME-Version: 1.0 References: <20231003131343.1324962-1-loic.poulain@linaro.org> <53348f45-f5c5-e5ba-b0a8-d004655a6053@linaro.org> In-Reply-To: <53348f45-f5c5-e5ba-b0a8-d004655a6053@linaro.org> From: Loic Poulain Date: Mon, 16 Oct 2023 15:48:28 +0200 Message-ID: Subject: Re: [PATCH] nvmem: core: Fix possible buffer overflow on nvmem cell write To: Srinivas Kandagatla Cc: linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Mon, 16 Oct 2023 06:50:16 -0700 (PDT) Hi Srini, On Sat, 7 Oct 2023 at 12:22, Srinivas Kandagatla wrote: > > Thanks Loic for the patch, > > On 03/10/2023 14:13, Loic Poulain wrote: > > Nothing prevents a nvmem consumer to try writing excessive data to a > > given nvmem cell (except when bit_offset is 0). The allocated buffer > > of size 'cell->bytes' in nvmem_cell_prepare_write_buffer may not be > > large enough to host the copied 'len' bytes. > > > Did you hit this path? > > __nvmem_cell_entry_write already has a check for (cell->bit_offset == > 0 && len != cell->bytes)) > > What is the bit_offset in your case? > > Can you provide more details? I hit the issue while playing with nvmem-reboot-mode driver, allocating 2-bit of a persistent register at bit-offset 2 for the reboot mode. nvmem-reboot-mode drivers call nvmem_cell_write() with a 32-bit len value, so we end in nvmem_cell_prepare_write_buffer allocating a 1-byte (cell->bytes) buffer and copying a 4-byte len value into it. You can find below the dts example. ``` { &snvs_lpgpr{ #address-cells = <1>; #size-cells = <1>; something@0 { /* reg[2:0] */ reg = <0x0 0x4>; bits = <2 2>; }; reboot_mode: reboot-mode@0 { /* reg[4:2] */ reg = <0x0 0x4>; bits = <2 2>; }; }; reboot-mode { compatible = "nvmem-reboot-mode"; nvmem-cells = <&reboot_mode>; nvmem-cell-names = "reboot-mode"; mode-normal = <0>; mode-fastboot = <1>; mode-recovery = <2>; }; }; ```