[PATCH u-boot v4 01/36] regmap: fix a serious pointer casting bug

From: "Marek Behún" <marek.behun@nic.cz>
To: u-boot@lists.denx.de
Subject: [PATCH u-boot v4 01/36] regmap: fix a serious pointer casting bug
Date: Thu, 20 May 2021 13:23:50 +0200	[thread overview]
Message-ID: <20210520112425.25166-2-marek.behun@nic.cz> (raw)
In-Reply-To: <20210520112425.25166-1-marek.behun@nic.cz>

There is a serious bug in regmap_read() and regmap_write() functions
where an uint pointer is cast to (void *) which is then cast to (u8 *),
(u16 *), (u32 *) or (u64 *), depending on register width of the map.

For example given a regmap with 16-bit register width the code
	int val = 0x12340000;
	regmap_read(map, 0, &val);
only changes the lower 16 bits of val on little-endian machines.
The upper 16 bits will remain 0x1234.

Nobody noticed this probably because this bug can be triggered with
regmap_write() only on big-endian architectures (which are not used by
many people anymore), and on little endian this bug has consequences
only if register width is 8 or 16 bits and also the memory place to
which regmap_read() should store it's result has non-zero upper bits,
which it seems doesn't happen anywhere in U-Boot normally. CI managed to
trigger this bug in unit test of dm_test_devm_regmap_field when compiled
for sandbox_defconfig using LTO.

Fix this by utilizing an union { u8; u16; u32; u64; } and reading data
into this union / writing data from this union.

Signed-off-by: Marek Beh?n <marek.behun@nic.cz>
Cc: Simon Glass <sjg@chromium.org>
Cc: Heiko Schocher <hs@denx.de>
Cc: Bin Meng <bmeng.cn@gmail.com>
Cc: Pratyush Yadav <p.yadav@ti.com>
---
 drivers/core/regmap.c | 59 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 57 insertions(+), 2 deletions(-)

diff --git a/drivers/core/regmap.c b/drivers/core/regmap.c
index b51ce108c1..3206f3d112 100644
--- a/drivers/core/regmap.c
+++ b/drivers/core/regmap.c
@@ -435,7 +435,36 @@ int regmap_raw_read(struct regmap *map, uint offset, void *valp, size_t val_len)
 
 int regmap_read(struct regmap *map, uint offset, uint *valp)
 {
-	return regmap_raw_read(map, offset, valp, map->width);
+	union {
+		u8 v8;
+		u16 v16;
+		u32 v32;
+		u64 v64;
+	} u;
+	int res;
+
+	res = regmap_raw_read(map, offset, &u, map->width);
+	if (res)
+		return res;
+
+	switch (map->width) {
+	case REGMAP_SIZE_8:
+		*valp = u.v8;
+		break;
+	case REGMAP_SIZE_16:
+		*valp = u.v16;
+		break;
+	case REGMAP_SIZE_32:
+		*valp = u.v32;
+		break;
+	case REGMAP_SIZE_64:
+		*valp = u.v64;
+		break;
+	default:
+		unreachable();
+	}
+
+	return 0;
 }
 
 static inline void __write_8(u8 *addr, const u8 *val,
@@ -546,7 +575,33 @@ int regmap_raw_write(struct regmap *map, uint offset, const void *val,
 
 int regmap_write(struct regmap *map, uint offset, uint val)
 {
-	return regmap_raw_write(map, offset, &val, map->width);
+	union {
+		u8 v8;
+		u16 v16;
+		u32 v32;
+		u64 v64;
+	} u;
+
+	switch (map->width) {
+	case REGMAP_SIZE_8:
+		u.v8 = val;
+		break;
+	case REGMAP_SIZE_16:
+		u.v16 = val;
+		break;
+	case REGMAP_SIZE_32:
+		u.v32 = val;
+		break;
+	case REGMAP_SIZE_64:
+		u.v64 = val;
+		break;
+	default:
+		debug("%s: regmap size %zu unknown\n", __func__,
+		      (size_t)map->width);
+		return -EINVAL;
+	}
+
+	return regmap_raw_write(map, offset, &u, map->width);
 }
 
 int regmap_update_bits(struct regmap *map, uint offset, uint mask, uint val)
-- 
2.26.3
