* [PATCH 0/2] clk: zynqmp: clock fixes
@ 2022-05-10 7:01 Shubhrajyoti Datta
2022-05-10 7:01 ` [PATCH 1/2] clk: zynqmp: Replaced strncpy() with strscpy() Shubhrajyoti Datta
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Shubhrajyoti Datta @ 2022-05-10 7:01 UTC (permalink / raw)
To: linux-clk; +Cc: sboyd, mturquette, git, Shubhrajyoti Datta
Below are the
As part of discurssions on [1] there was a suggestion to use
strscpy. Which is implemented in [2] and [1] null terminates
the string.
[1] https://www.spinics.net/lists/linux-clk/msg60795.html
[2] https://lore.kernel.org/all/DM6PR02MB6635E9F94E9A5FFC06188EF2AAAF9@DM6PR02MB6635.namprd02.prod.outlook.com/T/
Ian Nam (1):
clk: zynqmp: Fix stack-out-of-bounds in strncpy`
Shubhrajyoti Datta (1):
clk: zynqmp: Replaced strncpy() with strscpy()
drivers/clk/zynqmp/clkc.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--
2.17.1
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH 1/2] clk: zynqmp: Replaced strncpy() with strscpy()
2022-05-10 7:01 [PATCH 0/2] clk: zynqmp: clock fixes Shubhrajyoti Datta
@ 2022-05-10 7:01 ` Shubhrajyoti Datta
2022-08-22 23:58 ` Stephen Boyd
2022-05-10 7:01 ` [PATCH 2/2] clk: zynqmp: Fix stack-out-of-bounds in strncpy` Shubhrajyoti Datta
2022-07-20 13:38 ` [PATCH 0/2] clk: zynqmp: clock fixes Michal Simek
2 siblings, 1 reply; 6+ messages in thread
From: Shubhrajyoti Datta @ 2022-05-10 7:01 UTC (permalink / raw)
To: linux-clk; +Cc: sboyd, mturquette, git, Shubhrajyoti Datta
Replaced strncpy() with strscpy() as the clock names are supposed to
be NULL terminated.
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
---
drivers/clk/zynqmp/clkc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/clk/zynqmp/clkc.c b/drivers/clk/zynqmp/clkc.c
index 6770dbf55cf8..3d406d2f0a35 100644
--- a/drivers/clk/zynqmp/clkc.c
+++ b/drivers/clk/zynqmp/clkc.c
@@ -163,7 +163,7 @@ static int zynqmp_get_clock_name(u32 clk_id, char *clk_name)
ret = zynqmp_is_valid_clock(clk_id);
if (ret == 1) {
- strncpy(clk_name, clock[clk_id].clk_name, MAX_NAME_LEN);
+ strscpy(clk_name, clock[clk_id].clk_name, MAX_NAME_LEN);
return 0;
}
@@ -713,7 +713,7 @@ static void zynqmp_get_clock_info(void)
zynqmp_pm_clock_get_name(clock[i].clk_id, &name);
if (!strcmp(name.name, RESERVED_CLK_NAME))
continue;
- strncpy(clock[i].clk_name, name.name, MAX_NAME_LEN);
+ strscpy(clock[i].clk_name, name.name, MAX_NAME_LEN);
}
/* Get topology of all clock */
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH 2/2] clk: zynqmp: Fix stack-out-of-bounds in strncpy`
2022-05-10 7:01 [PATCH 0/2] clk: zynqmp: clock fixes Shubhrajyoti Datta
2022-05-10 7:01 ` [PATCH 1/2] clk: zynqmp: Replaced strncpy() with strscpy() Shubhrajyoti Datta
@ 2022-05-10 7:01 ` Shubhrajyoti Datta
2022-08-22 23:58 ` Stephen Boyd
2022-07-20 13:38 ` [PATCH 0/2] clk: zynqmp: clock fixes Michal Simek
2 siblings, 1 reply; 6+ messages in thread
From: Shubhrajyoti Datta @ 2022-05-10 7:01 UTC (permalink / raw)
To: linux-clk; +Cc: sboyd, mturquette, git, Ian Nam, Shubhrajyoti Datta
From: Ian Nam <young.kwan.nam@xilinx.com>
"BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68"
Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is
longer than 15 bytes, string terminated NULL character will not be received
by Linux. Add explicit NULL character at last byte to fix issues when clock
name is longer.
This fixes below bug reported by KASAN:
[ 7.522474] ==================================================================
[ 7.529795] BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68
[ 7.535871] Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1
[ 7.542557]
[ 7.544065] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3
[ 7.551809] Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)
[ 7.558847] Call trace:
[ 7.561321] dump_backtrace+0x0/0x1e8
[ 7.565023] show_stack+0x14/0x20
[ 7.568374] dump_stack+0xd4/0x108
[ 7.571817] print_address_description.isra.0+0xbc/0x37c
[ 7.577189] __kasan_report+0x144/0x198
[ 7.581068] kasan_report+0xc/0x18
[ 7.584507] __asan_load1+0x5c/0x68
[ 7.588032] strncpy+0x30/0x68
[ 7.591120] zynqmp_clock_probe+0x238/0x7b8
[ 7.595350] platform_drv_probe+0x6c/0xc8
[ 7.599405] really_probe+0x14c/0x418
[ 7.603108] driver_probe_device+0x74/0x130
[ 7.607339] __device_attach_driver+0xc4/0xe8
[ 7.611744] bus_for_each_drv+0xec/0x150
[ 7.615711] __device_attach+0x160/0x1d8
[ 7.619678] device_initial_probe+0x10/0x18
[ 7.623907] bus_probe_device+0xe0/0xf0
[ 7.627785] device_add+0x528/0x950
[ 7.631312] of_device_add+0x5c/0x80
[ 7.634926] of_platform_device_create_pdata+0x120/0x168
[ 7.640299] of_platform_bus_create+0x244/0x4e0
[ 7.644880] of_platform_populate+0x50/0xe8
[ 7.649110] zynqmp_firmware_probe+0x370/0x3a8
[ 7.653602] platform_drv_probe+0x6c/0xc8
[ 7.657656] really_probe+0x14c/0x418
[ 7.661359] driver_probe_device+0x74/0x130
[ 7.665589] device_driver_attach+0x94/0xa0
[ 7.669820] __driver_attach+0x70/0x108
[ 7.673698] bus_for_each_dev+0xe4/0x158
[ 7.677664] driver_attach+0x30/0x40
[ 7.681278] bus_add_driver+0x21c/0x2b8
[ 7.685157] driver_register+0xbc/0x1d0
[ 7.689035] __platform_driver_register+0x7c/0x88
[ 7.693793] zynqmp_firmware_driver_init+0x1c/0x24
[ 7.698637] do_one_initcall+0xa4/0x234
[ 7.702518] kernel_init_freeable+0x1b0/0x24c
[ 7.706924] kernel_init+0x10/0x110
[ 7.710450] ret_from_fork+0x10/0x18
[ 7.714058]
[ 7.715559] The buggy address belongs to the page:
[ 7.720405] page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
[ 7.728772] raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000
[ 7.736606] raw: 0000000000000000 0000000000000000 00000000ffffffff
[ 7.742942] page dumped because: kasan: bad access detected
[ 7.748572]
[ 7.750076] addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:
[ 7.759052] zynqmp_clock_probe+0x0/0x7b8
[ 7.763103]
[ 7.764604] this frame has 3 objects:
[ 7.768306] [32, 44) 'response'
[ 7.768312] [64, 80) 'ret_payload'
[ 7.771573] [96, 112) 'name'
[ 7.775095]
[ 7.779585] Memory state around the buggy address:
[ 7.784430] ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 7.791735] ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2
[ 7.799040] >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[ 7.806342] ^
[ 7.810132] ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 7.817437] ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 7.824738] ==================================================================
Signed-off-by: Ian Nam <young.kwan.nam@xilinx.com>
Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
---
drivers/clk/zynqmp/clkc.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/clk/zynqmp/clkc.c b/drivers/clk/zynqmp/clkc.c
index 3d406d2f0a35..57bdc2627b87 100644
--- a/drivers/clk/zynqmp/clkc.c
+++ b/drivers/clk/zynqmp/clkc.c
@@ -711,6 +711,13 @@ static void zynqmp_get_clock_info(void)
FIELD_PREP(CLK_ATTR_NODE_INDEX, i);
zynqmp_pm_clock_get_name(clock[i].clk_id, &name);
+
+ /*
+ * Terminate with NULL character in case name provided by firmware
+ * is longer and truncated due to size limit.
+ */
+ name.name[sizeof(name.name) - 1] = '\0';
+
if (!strcmp(name.name, RESERVED_CLK_NAME))
continue;
strscpy(clock[i].clk_name, name.name, MAX_NAME_LEN);
--
2.17.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH 0/2] clk: zynqmp: clock fixes
2022-05-10 7:01 [PATCH 0/2] clk: zynqmp: clock fixes Shubhrajyoti Datta
2022-05-10 7:01 ` [PATCH 1/2] clk: zynqmp: Replaced strncpy() with strscpy() Shubhrajyoti Datta
2022-05-10 7:01 ` [PATCH 2/2] clk: zynqmp: Fix stack-out-of-bounds in strncpy` Shubhrajyoti Datta
@ 2022-07-20 13:38 ` Michal Simek
2 siblings, 0 replies; 6+ messages in thread
From: Michal Simek @ 2022-07-20 13:38 UTC (permalink / raw)
To: Shubhrajyoti Datta, linux-clk, Stephen Boyd; +Cc: mturquette, git
On 5/10/22 09:01, Shubhrajyoti Datta wrote:
> Below are the
> As part of discurssions on [1] there was a suggestion to use
> strscpy. Which is implemented in [2] and [1] null terminates
> the string.
>
> [1] https://www.spinics.net/lists/linux-clk/msg60795.html
> [2] https://lore.kernel.org/all/DM6PR02MB6635E9F94E9A5FFC06188EF2AAAF9@DM6PR02MB6635.namprd02.prod.outlook.com/T/
>
> Ian Nam (1):
> clk: zynqmp: Fix stack-out-of-bounds in strncpy`
>
> Shubhrajyoti Datta (1):
> clk: zynqmp: Replaced strncpy() with strscpy()
>
> drivers/clk/zynqmp/clkc.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
Acked-by: Michal Simek <michal.simek@amd.com>
Thanks,
Michal
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 1/2] clk: zynqmp: Replaced strncpy() with strscpy()
2022-05-10 7:01 ` [PATCH 1/2] clk: zynqmp: Replaced strncpy() with strscpy() Shubhrajyoti Datta
@ 2022-08-22 23:58 ` Stephen Boyd
0 siblings, 0 replies; 6+ messages in thread
From: Stephen Boyd @ 2022-08-22 23:58 UTC (permalink / raw)
To: Shubhrajyoti Datta, linux-clk; +Cc: mturquette, git, Shubhrajyoti Datta
Quoting Shubhrajyoti Datta (2022-05-10 00:01:53)
> Replaced strncpy() with strscpy() as the clock names are supposed to
> be NULL terminated.
>
> Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
> ---
Applied to clk-next
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH 2/2] clk: zynqmp: Fix stack-out-of-bounds in strncpy`
2022-05-10 7:01 ` [PATCH 2/2] clk: zynqmp: Fix stack-out-of-bounds in strncpy` Shubhrajyoti Datta
@ 2022-08-22 23:58 ` Stephen Boyd
0 siblings, 0 replies; 6+ messages in thread
From: Stephen Boyd @ 2022-08-22 23:58 UTC (permalink / raw)
To: Shubhrajyoti Datta, linux-clk
Cc: mturquette, git, Ian Nam, Shubhrajyoti Datta
Quoting Shubhrajyoti Datta (2022-05-10 00:01:54)
> From: Ian Nam <young.kwan.nam@xilinx.com>
>
> "BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68"
>
> Linux-ATF interface is using 16 bytes of SMC payload. In case clock name is
> longer than 15 bytes, string terminated NULL character will not be received
> by Linux. Add explicit NULL character at last byte to fix issues when clock
> name is longer.
>
> This fixes below bug reported by KASAN:
>
> [ 7.522474] ==================================================================
> [ 7.529795] BUG: KASAN: stack-out-of-bounds in strncpy+0x30/0x68
> [ 7.535871] Read of size 1 at addr ffff0008c89a7410 by task swapper/0/1
> [ 7.542557]
> [ 7.544065] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.4.0-00396-g81ef9e7-dirty #3
> [ 7.551809] Hardware name: Xilinx Versal vck190 Eval board revA (QSPI) (DT)
> [ 7.558847] Call trace:
> [ 7.561321] dump_backtrace+0x0/0x1e8
> [ 7.565023] show_stack+0x14/0x20
> [ 7.568374] dump_stack+0xd4/0x108
> [ 7.571817] print_address_description.isra.0+0xbc/0x37c
> [ 7.577189] __kasan_report+0x144/0x198
> [ 7.581068] kasan_report+0xc/0x18
> [ 7.584507] __asan_load1+0x5c/0x68
> [ 7.588032] strncpy+0x30/0x68
> [ 7.591120] zynqmp_clock_probe+0x238/0x7b8
> [ 7.595350] platform_drv_probe+0x6c/0xc8
> [ 7.599405] really_probe+0x14c/0x418
> [ 7.603108] driver_probe_device+0x74/0x130
> [ 7.607339] __device_attach_driver+0xc4/0xe8
> [ 7.611744] bus_for_each_drv+0xec/0x150
> [ 7.615711] __device_attach+0x160/0x1d8
> [ 7.619678] device_initial_probe+0x10/0x18
> [ 7.623907] bus_probe_device+0xe0/0xf0
> [ 7.627785] device_add+0x528/0x950
> [ 7.631312] of_device_add+0x5c/0x80
> [ 7.634926] of_platform_device_create_pdata+0x120/0x168
> [ 7.640299] of_platform_bus_create+0x244/0x4e0
> [ 7.644880] of_platform_populate+0x50/0xe8
> [ 7.649110] zynqmp_firmware_probe+0x370/0x3a8
> [ 7.653602] platform_drv_probe+0x6c/0xc8
> [ 7.657656] really_probe+0x14c/0x418
> [ 7.661359] driver_probe_device+0x74/0x130
> [ 7.665589] device_driver_attach+0x94/0xa0
> [ 7.669820] __driver_attach+0x70/0x108
> [ 7.673698] bus_for_each_dev+0xe4/0x158
> [ 7.677664] driver_attach+0x30/0x40
> [ 7.681278] bus_add_driver+0x21c/0x2b8
> [ 7.685157] driver_register+0xbc/0x1d0
> [ 7.689035] __platform_driver_register+0x7c/0x88
> [ 7.693793] zynqmp_firmware_driver_init+0x1c/0x24
> [ 7.698637] do_one_initcall+0xa4/0x234
> [ 7.702518] kernel_init_freeable+0x1b0/0x24c
> [ 7.706924] kernel_init+0x10/0x110
> [ 7.710450] ret_from_fork+0x10/0x18
> [ 7.714058]
> [ 7.715559] The buggy address belongs to the page:
> [ 7.720405] page:ffff0008f9be1c88 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
> [ 7.728772] raw: 0008d00000000000 ffff0008f9be1c90 ffff0008f9be1c90 0000000000000000
> [ 7.736606] raw: 0000000000000000 0000000000000000 00000000ffffffff
> [ 7.742942] page dumped because: kasan: bad access detected
> [ 7.748572]
> [ 7.750076] addr ffff0008c89a7410 is located in stack of task swapper/0/1 at offset 112 in frame:
> [ 7.759052] zynqmp_clock_probe+0x0/0x7b8
> [ 7.763103]
> [ 7.764604] this frame has 3 objects:
> [ 7.768306] [32, 44) 'response'
> [ 7.768312] [64, 80) 'ret_payload'
> [ 7.771573] [96, 112) 'name'
> [ 7.775095]
> [ 7.779585] Memory state around the buggy address:
> [ 7.784430] ffff0008c89a7300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 7.791735] ffff0008c89a7380: 00 00 00 00 f1 f1 f1 f1 00 04 f2 f2 00 00 f2 f2
> [ 7.799040] >ffff0008c89a7400: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
> [ 7.806342] ^
> [ 7.810132] ffff0008c89a7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 7.817437] ffff0008c89a7500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> [ 7.824738] ==================================================================
>
> Signed-off-by: Ian Nam <young.kwan.nam@xilinx.com>
> Signed-off-by: Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
> ---
Applied to clk-next
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-08-22 23:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-10 7:01 [PATCH 0/2] clk: zynqmp: clock fixes Shubhrajyoti Datta
2022-05-10 7:01 ` [PATCH 1/2] clk: zynqmp: Replaced strncpy() with strscpy() Shubhrajyoti Datta
2022-08-22 23:58 ` Stephen Boyd
2022-05-10 7:01 ` [PATCH 2/2] clk: zynqmp: Fix stack-out-of-bounds in strncpy` Shubhrajyoti Datta
2022-08-22 23:58 ` Stephen Boyd
2022-07-20 13:38 ` [PATCH 0/2] clk: zynqmp: clock fixes Michal Simek
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.