From: Tzung-Bi Shih <tzungbi@google.com>
To: Yong Wu <yong.wu@mediatek.com>
Cc: Guenter Roeck <linux@roeck-us.net>,
Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>,
Matthias Brugger <matthias.bgg@gmail.com>,
iommu@lists.linux-foundation.org,
linux-mediatek@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Tomasz Figa <tfiga@chromium.org>,
kernel test robot <lkp@intel.com>,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: [SPAM][PATCH] iommu/mediatek: Validate number of phandles associated with "mediatek,larbs"
Date: Tue, 14 Dec 2021 17:04:08 +0800 [thread overview]
Message-ID: <YbheCEbOS48Owcht@google.com> (raw)
In-Reply-To: <ebf58066a131f92c68e83a1ef56b88f435fa0d08.camel@mediatek.com>
On Tue, Dec 14, 2021 at 03:31:25PM +0800, Yong Wu wrote:
> On Fri, 2021-12-10 at 12:57 -0800, Guenter Roeck wrote:
> > Since commit baf94e6ebff9 ("iommu/mediatek: Add device link for smi-
> > common
> > and m4u"), the driver assumes that at least one phandle associated
> > with
> > "mediatek,larbs" exists. If that is not the case, for example if
> > reason
> > "mediatek,larbs" is provided as boolean property, the code will use
> > an
> > uninitialized pointer and may crash. To fix the problem, ensure that
> > the
> > number of phandles associated with "mediatek,larbs" is at least 1 and
> > bail out immediately if that is not the case.
>
> From the dt-binding, "mediatek,larbs" always is a phandle-array. I
> assumed the dts should conform to the dt-binding before. Then the
> problem is that if we should cover the case that someone abuses/attacks
> the dts. Could you help add more comment in the commit message?
> something like: this is for avoid abuse the dt-binding.
How could you make sure dts conform to dt-bindings in runtime? Code shouldn't rely on the assumptions but try the best to prevent any abuse/misconfigured/malicious cases especially if the assumptions are controllable by other parties.
Taking this case as an example, of_count_phandle_with_args() could return 3 types of values.
1. Negative: an error, it is already handled in the original code.
2. Positive: normal case, it falls down to the rest of code.
3. Zero: it still falls down to the rest of code, however, some variables won't be filled.
The code should handle all of the above types.
> > diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
> > index 25b834104790..0bbe32d0a2a6 100644
> > --- a/drivers/iommu/mtk_iommu.c
> > +++ b/drivers/iommu/mtk_iommu.c
> > @@ -828,6 +828,8 @@ static int mtk_iommu_probe(struct platform_device
> > *pdev)
> > "mediatek,larbs", NULL);
> > if (larb_nr < 0)
> > return larb_nr;
> > + if (larb_nr == 0)
> > + return -EINVAL;
>
> Just assigning the larbnode to NULL may be simpler. In this case, it
> won't enter the loop below, and return 0 in the
> of_parse_phandle(larbnode, "mediatek,smi", 0).
>
> - struct device_node *larbnode, *smicomm_node;
> + struct device_node *larbnode = NULL, *smicomm_node;
Setting larbnode to NULL doesn't make sense to me. It wastes some more instructions. If the code can exit earlier, why does it need to call another of_parse_phandle()?
Also, it adds another dependency between the code blocks. What if someone move the code blocks without awareness of the dependency?
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek
WARNING: multiple messages have this Message-ID (diff)
From: Tzung-Bi Shih <tzungbi@google.com>
To: Yong Wu <yong.wu@mediatek.com>
Cc: Guenter Roeck <linux@roeck-us.net>,
Joerg Roedel <joro@8bytes.org>, Will Deacon <will@kernel.org>,
Matthias Brugger <matthias.bgg@gmail.com>,
iommu@lists.linux-foundation.org,
linux-mediatek@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org, Tomasz Figa <tfiga@chromium.org>,
kernel test robot <lkp@intel.com>,
Dan Carpenter <dan.carpenter@oracle.com>
Subject: Re: [SPAM][PATCH] iommu/mediatek: Validate number of phandles associated with "mediatek,larbs"
Date: Tue, 14 Dec 2021 17:04:08 +0800 [thread overview]
Message-ID: <YbheCEbOS48Owcht@google.com> (raw)
In-Reply-To: <ebf58066a131f92c68e83a1ef56b88f435fa0d08.camel@mediatek.com>
On Tue, Dec 14, 2021 at 03:31:25PM +0800, Yong Wu wrote:
> On Fri, 2021-12-10 at 12:57 -0800, Guenter Roeck wrote:
> > Since commit baf94e6ebff9 ("iommu/mediatek: Add device link for smi-
> > common
> > and m4u"), the driver assumes that at least one phandle associated
> > with
> > "mediatek,larbs" exists. If that is not the case, for example if
> > reason
> > "mediatek,larbs" is provided as boolean property, the code will use
> > an
> > uninitialized pointer and may crash. To fix the problem, ensure that
> > the
> > number of phandles associated with "mediatek,larbs" is at least 1 and
> > bail out immediately if that is not the case.
>
> From the dt-binding, "mediatek,larbs" always is a phandle-array. I
> assumed the dts should conform to the dt-binding before. Then the
> problem is that if we should cover the case that someone abuses/attacks
> the dts. Could you help add more comment in the commit message?
> something like: this is for avoid abuse the dt-binding.
How could you make sure dts conform to dt-bindings in runtime? Code shouldn't rely on the assumptions but try the best to prevent any abuse/misconfigured/malicious cases especially if the assumptions are controllable by other parties.
Taking this case as an example, of_count_phandle_with_args() could return 3 types of values.
1. Negative: an error, it is already handled in the original code.
2. Positive: normal case, it falls down to the rest of code.
3. Zero: it still falls down to the rest of code, however, some variables won't be filled.
The code should handle all of the above types.
> > diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
> > index 25b834104790..0bbe32d0a2a6 100644
> > --- a/drivers/iommu/mtk_iommu.c
> > +++ b/drivers/iommu/mtk_iommu.c
> > @@ -828,6 +828,8 @@ static int mtk_iommu_probe(struct platform_device
> > *pdev)
> > "mediatek,larbs", NULL);
> > if (larb_nr < 0)
> > return larb_nr;
> > + if (larb_nr == 0)
> > + return -EINVAL;
>
> Just assigning the larbnode to NULL may be simpler. In this case, it
> won't enter the loop below, and return 0 in the
> of_parse_phandle(larbnode, "mediatek,smi", 0).
>
> - struct device_node *larbnode, *smicomm_node;
> + struct device_node *larbnode = NULL, *smicomm_node;
Setting larbnode to NULL doesn't make sense to me. It wastes some more instructions. If the code can exit earlier, why does it need to call another of_parse_phandle()?
Also, it adds another dependency between the code blocks. What if someone move the code blocks without awareness of the dependency?
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
WARNING: multiple messages have this Message-ID (diff)
From: Tzung-Bi Shih via iommu <iommu@lists.linux-foundation.org>
To: Yong Wu <yong.wu@mediatek.com>
Cc: kernel test robot <lkp@intel.com>,
linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org,
linux-mediatek@lists.infradead.org,
linux-arm-kernel@lists.infradead.org,
Matthias Brugger <matthias.bgg@gmail.com>,
Dan Carpenter <dan.carpenter@oracle.com>,
Will Deacon <will@kernel.org>, Guenter Roeck <linux@roeck-us.net>
Subject: Re: [SPAM][PATCH] iommu/mediatek: Validate number of phandles associated with "mediatek,larbs"
Date: Tue, 14 Dec 2021 17:04:08 +0800 [thread overview]
Message-ID: <YbheCEbOS48Owcht@google.com> (raw)
In-Reply-To: <ebf58066a131f92c68e83a1ef56b88f435fa0d08.camel@mediatek.com>
On Tue, Dec 14, 2021 at 03:31:25PM +0800, Yong Wu wrote:
> On Fri, 2021-12-10 at 12:57 -0800, Guenter Roeck wrote:
> > Since commit baf94e6ebff9 ("iommu/mediatek: Add device link for smi-
> > common
> > and m4u"), the driver assumes that at least one phandle associated
> > with
> > "mediatek,larbs" exists. If that is not the case, for example if
> > reason
> > "mediatek,larbs" is provided as boolean property, the code will use
> > an
> > uninitialized pointer and may crash. To fix the problem, ensure that
> > the
> > number of phandles associated with "mediatek,larbs" is at least 1 and
> > bail out immediately if that is not the case.
>
> From the dt-binding, "mediatek,larbs" always is a phandle-array. I
> assumed the dts should conform to the dt-binding before. Then the
> problem is that if we should cover the case that someone abuses/attacks
> the dts. Could you help add more comment in the commit message?
> something like: this is for avoid abuse the dt-binding.
How could you make sure dts conform to dt-bindings in runtime? Code shouldn't rely on the assumptions but try the best to prevent any abuse/misconfigured/malicious cases especially if the assumptions are controllable by other parties.
Taking this case as an example, of_count_phandle_with_args() could return 3 types of values.
1. Negative: an error, it is already handled in the original code.
2. Positive: normal case, it falls down to the rest of code.
3. Zero: it still falls down to the rest of code, however, some variables won't be filled.
The code should handle all of the above types.
> > diff --git a/drivers/iommu/mtk_iommu.c b/drivers/iommu/mtk_iommu.c
> > index 25b834104790..0bbe32d0a2a6 100644
> > --- a/drivers/iommu/mtk_iommu.c
> > +++ b/drivers/iommu/mtk_iommu.c
> > @@ -828,6 +828,8 @@ static int mtk_iommu_probe(struct platform_device
> > *pdev)
> > "mediatek,larbs", NULL);
> > if (larb_nr < 0)
> > return larb_nr;
> > + if (larb_nr == 0)
> > + return -EINVAL;
>
> Just assigning the larbnode to NULL may be simpler. In this case, it
> won't enter the loop below, and return 0 in the
> of_parse_phandle(larbnode, "mediatek,smi", 0).
>
> - struct device_node *larbnode, *smicomm_node;
> + struct device_node *larbnode = NULL, *smicomm_node;
Setting larbnode to NULL doesn't make sense to me. It wastes some more instructions. If the code can exit earlier, why does it need to call another of_parse_phandle()?
Also, it adds another dependency between the code blocks. What if someone move the code blocks without awareness of the dependency?
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2021-12-14 9:04 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-10 20:57 [PATCH] iommu/mediatek: Validate number of phandles associated with "mediatek,larbs" Guenter Roeck
2021-12-10 20:57 ` [PATCH] iommu/mediatek: Validate number of phandles associated with "mediatek, larbs" Guenter Roeck
2021-12-10 20:57 ` Guenter Roeck
2021-12-10 20:57 ` Guenter Roeck
2021-12-14 7:31 ` [SPAM][PATCH] iommu/mediatek: Validate number of phandles associated with "mediatek,larbs" Yong Wu
2021-12-14 7:31 ` Yong Wu
2021-12-14 7:31 ` Yong Wu
2021-12-14 9:04 ` Tzung-Bi Shih [this message]
2021-12-14 9:04 ` Tzung-Bi Shih via iommu
2021-12-14 9:04 ` Tzung-Bi Shih
2021-12-15 5:31 ` Yong Wu
2021-12-15 5:31 ` Yong Wu
2021-12-15 5:31 ` Yong Wu
2021-12-14 15:02 ` Guenter Roeck
2021-12-14 15:02 ` Guenter Roeck
2021-12-14 15:02 ` Guenter Roeck
2021-12-15 5:30 ` Yong Wu
2021-12-15 5:30 ` Yong Wu
2021-12-15 5:30 ` Yong Wu
2021-12-15 16:25 ` Guenter Roeck
2021-12-15 16:25 ` Guenter Roeck
2021-12-15 16:25 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YbheCEbOS48Owcht@google.com \
--to=tzungbi@google.com \
--cc=dan.carpenter@oracle.com \
--cc=iommu@lists.linux-foundation.org \
--cc=joro@8bytes.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mediatek@lists.infradead.org \
--cc=linux@roeck-us.net \
--cc=lkp@intel.com \
--cc=matthias.bgg@gmail.com \
--cc=tfiga@chromium.org \
--cc=will@kernel.org \
--cc=yong.wu@mediatek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.