From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Vincent Whitchurch <vincent.whitchurch@axis.com>,
Mark Brown <broonie@kernel.org>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 14/49] spi: spi-loopback-test: Fix out-of-bounds read
Date: Mon, 21 Sep 2020 18:27:58 +0200 [thread overview]
Message-ID: <20200921162035.286175398@linuxfoundation.org> (raw)
In-Reply-To: <20200921162034.660953761@linuxfoundation.org>
From: Vincent Whitchurch <vincent.whitchurch@axis.com>
[ Upstream commit 837ba18dfcd4db21ad58107c65bfe89753aa56d7 ]
The "tx/rx-transfer - crossing PAGE_SIZE" test always fails when
len=131071 and rx_offset >= 5:
spi-loopback-test spi0.0: Running test tx/rx-transfer - crossing PAGE_SIZE
...
with iteration values: len = 131071, tx_off = 0, rx_off = 3
with iteration values: len = 131071, tx_off = 0, rx_off = 4
with iteration values: len = 131071, tx_off = 0, rx_off = 5
loopback strangeness - rx changed outside of allowed range at: ...a4321000
spi_msg@ffffffd5a4157690
frame_length: 131071
actual_length: 131071
spi_transfer@ffffffd5a41576f8
len: 131071
tx_buf: ffffffd5a4340ffc
Note that rx_offset > 3 can only occur if the SPI controller driver sets
->dma_alignment to a higher value than 4, so most SPI controller drivers
are not affect.
The allocated Rx buffer is of size SPI_TEST_MAX_SIZE_PLUS, which is 132
KiB (assuming 4 KiB pages). This test uses an initial offset into the
rx_buf of PAGE_SIZE - 4, and a len of 131071, so the range expected to
be written in this transfer ends at (4096 - 4) + 5 + 131071 == 132 KiB,
which is also the end of the allocated buffer. But the code which
verifies the content of the buffer reads a byte beyond the allocated
buffer and spuriously fails because this out-of-bounds read doesn't
return the expected value.
Fix this by using ITERATE_LEN instead of ITERATE_MAX_LEN to avoid
testing sizes which cause out-of-bounds reads.
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Link: https://lore.kernel.org/r/20200902132341.7079-1-vincent.whitchurch@axis.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-loopback-test.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c
index bed7403bb6b3a..b9a7117b6dce3 100644
--- a/drivers/spi/spi-loopback-test.c
+++ b/drivers/spi/spi-loopback-test.c
@@ -99,7 +99,7 @@ static struct spi_test spi_tests[] = {
{
.description = "tx/rx-transfer - crossing PAGE_SIZE",
.fill_option = FILL_COUNT_8,
- .iterate_len = { ITERATE_MAX_LEN },
+ .iterate_len = { ITERATE_LEN },
.iterate_tx_align = ITERATE_ALIGN,
.iterate_rx_align = ITERATE_ALIGN,
.transfer_count = 1,
--
2.25.1
next prev parent reply other threads:[~2020-09-21 16:58 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-21 16:27 [PATCH 4.19 00/49] 4.19.147-rc1 review Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 01/49] dsa: Allow forwarding of redirected IGMP traffic Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 02/49] scsi: qla2xxx: Update rscn_rcvd field to more meaningful scan_needed Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 03/49] scsi: qla2xxx: Move rport registration out of internal work_list Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 04/49] scsi: qla2xxx: Reduce holding sess_lock to prevent CPU lock-up Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 05/49] gfs2: initialize transaction tr_ailX_lists earlier Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 06/49] RDMA/bnxt_re: Restrict the max_gids to 256 Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 07/49] net: handle the return value of pskb_carve_frag_list() correctly Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 08/49] hv_netvsc: Remove "unlikely" from netvsc_select_queue Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 09/49] NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 10/49] scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort Greg Kroah-Hartman
2020-09-22 15:29 ` Pavel Machek
2020-09-21 16:27 ` [PATCH 4.19 11/49] scsi: libfc: Fix for double free() Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 12/49] scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery Greg Kroah-Hartman
2020-09-21 16:27 ` [PATCH 4.19 13/49] regulator: pwm: Fix machine constraints application Greg Kroah-Hartman
2020-09-21 16:27 ` Greg Kroah-Hartman [this message]
2020-09-21 16:27 ` [PATCH 4.19 15/49] NFS: Zero-stateid SETATTR should first return delegation Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 16/49] SUNRPC: stop printk reading past end of string Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 17/49] rapidio: Replace select DMAENGINES with depends on Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 18/49] openrisc: Fix cache API compile issue when not inlining Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 19/49] nvme-fc: cancel async events before freeing event struct Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 20/49] nvme-rdma: " Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 21/49] f2fs: fix indefinite loop scanning for free nid Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 22/49] f2fs: Return EOF on unaligned end of file DIO read Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 23/49] i2c: algo: pca: Reapply i2c bus settings after reset Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 24/49] spi: Fix memory leak on splited transfers Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 25/49] KVM: MIPS: Change the definition of kvm type Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 26/49] clk: davinci: Use the correct size when allocating memory Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 27/49] clk: rockchip: Fix initialization of mux_pll_src_4plls_p Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 28/49] ASoC: qcom: Set card->owner to avoid warnings Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 29/49] Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 30/49] perf test: Fix the "signal" test inline assembly Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 31/49] MIPS: SNI: Fix MIPS_L1_CACHE_SHIFT Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 32/49] perf test: Free formats for perf pmu parse test Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 33/49] fbcon: Fix user font detection test at fbcon_resize() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 34/49] MIPS: SNI: Fix spurious interrupts Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 35/49] drm/mediatek: Add exception handing in mtk_drm_probe() if component init fail Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 36/49] drm/mediatek: Add missing put_device() call in mtk_hdmi_dt_parse_pdata() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 37/49] USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 38/49] USB: UAS: fix disconnect by unplugging a hub Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 39/49] usblp: fix race between disconnect() and read() Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 40/49] i2c: i801: Fix resume bug Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 41/49] Revert "ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO" Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 42/49] percpu: fix first chunk size calculation for populated bitmap Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 43/49] Input: trackpoint - add new trackpoint variant IDs Greg Kroah-Hartman
2020-09-22 15:39 ` Pavel Machek
2020-09-22 16:16 ` Greg Kroah-Hartman
2020-09-22 20:24 ` Pavel Machek
2020-09-23 20:42 ` Dmitry Torokhov
2020-09-24 2:16 ` Vincent Huang
2020-09-21 16:28 ` [PATCH 4.19 44/49] Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset lists Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 45/49] serial: 8250_pci: Add Realtek 816a and 816b Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 46/49] x86/boot/compressed: Disable relocation relaxation Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 47/49] ehci-hcd: Move include to keep CRC stable Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 48/49] powerpc/dma: Fix dma_map_ops::get_required_mask Greg Kroah-Hartman
2020-09-21 16:28 ` [PATCH 4.19 49/49] x86/defconfig: Enable CONFIG_USB_XHCI_HCD=y Greg Kroah-Hartman
2020-09-22 6:46 ` [PATCH 4.19 00/49] 4.19.147-rc1 review Jon Hunter
2020-09-22 8:42 ` Naresh Kamboju
2020-09-22 9:56 ` Nobuhiro Iwamatsu
2020-09-22 20:18 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200921162035.286175398@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=broonie@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=vincent.whitchurch@axis.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.