Re: [PATCH 2/2] mmc: dw_mmc: Fix out-of-bounds access for slot's caps

Shawn Lin <shawn.lin@xxxxxxxxxxxxxx> · Tue, 27 Feb 2018 21:42:15 +0800

On 2018/2/27 19:27, Ulf Hansson wrote:
On 24 February 2018 at 07:17, Shawn Lin <shawn.lin@xxxxxxxxxxxxxx> wrote:
Add num_caps field for dw_mci_drv_data to validate the controller
id from DT alias and non-DT ways.

Reported-by: Geert Uytterhoeven <geert+renesas@xxxxxxxxx>
Signed-off-by: Shawn Lin <shawn.lin@xxxxxxxxxxxxxx>

Thanks, applied for fixes!

Should we add a stable tag as well?


I noticed patch[1] was intended to be backported as far
as possible, but I suspected how far it could be for dw_mmc, since
the code changed a lot after introducing this piece of code:).
Anyway, it still may be worth to have a try, so

Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation 
specific callbacks")
Cc: <stable@xxxxxxxxxxxxxxx>


[1] https://patchwork.kernel.org/patch/10230673/

Kind regards
Uffe

---

  drivers/mmc/host/dw_mmc-exynos.c   | 1 +
  drivers/mmc/host/dw_mmc-k3.c       | 1 +
  drivers/mmc/host/dw_mmc-rockchip.c | 1 +
  drivers/mmc/host/dw_mmc-zx.c       | 1 +
  drivers/mmc/host/dw_mmc.c          | 9 ++++++++-
  drivers/mmc/host/dw_mmc.h          | 2 ++
  6 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/drivers/mmc/host/dw_mmc-exynos.c b/drivers/mmc/host/dw_mmc-exynos.c
index 3502679..fa41d94 100644
--- a/drivers/mmc/host/dw_mmc-exynos.c
+++ b/drivers/mmc/host/dw_mmc-exynos.c
@@ -487,6 +487,7 @@ static int dw_mci_exynos_prepare_hs400_tuning(struct dw_mci *host,

  static const struct dw_mci_drv_data exynos_drv_data = {
         .caps                   = exynos_dwmmc_caps,
+       .num_caps               = ARRAY_SIZE(exynos_dwmmc_caps),
         .init                   = dw_mci_exynos_priv_init,
         .set_ios                = dw_mci_exynos_set_ios,
         .parse_dt               = dw_mci_exynos_parse_dt,
diff --git a/drivers/mmc/host/dw_mmc-k3.c b/drivers/mmc/host/dw_mmc-k3.c
index 73fd75c..eb53e37 100644
--- a/drivers/mmc/host/dw_mmc-k3.c
+++ b/drivers/mmc/host/dw_mmc-k3.c
@@ -207,6 +207,7 @@ static int dw_mci_hi6220_execute_tuning(struct dw_mci_slot *slot, u32 opcode)

  static const struct dw_mci_drv_data hi6220_data = {
         .caps                   = dw_mci_hi6220_caps,
+       .num_caps               = ARRAY_SIZE(dw_mci_hi6220_caps),
         .switch_voltage         = dw_mci_hi6220_switch_voltage,
         .set_ios                = dw_mci_hi6220_set_ios,
         .parse_dt               = dw_mci_hi6220_parse_dt,
diff --git a/drivers/mmc/host/dw_mmc-rockchip.c b/drivers/mmc/host/dw_mmc-rockchip.c
index a3f1c2b..3392952 100644
--- a/drivers/mmc/host/dw_mmc-rockchip.c
+++ b/drivers/mmc/host/dw_mmc-rockchip.c
@@ -319,6 +319,7 @@ static int dw_mci_rockchip_init(struct dw_mci *host)

  static const struct dw_mci_drv_data rk3288_drv_data = {
         .caps                   = dw_mci_rk3288_dwmmc_caps,
+       .num_caps               = ARRAY_SIZE(dw_mci_rk3288_dwmmc_caps),
         .set_ios                = dw_mci_rk3288_set_ios,
         .execute_tuning         = dw_mci_rk3288_execute_tuning,
         .parse_dt               = dw_mci_rk3288_parse_dt,
diff --git a/drivers/mmc/host/dw_mmc-zx.c b/drivers/mmc/host/dw_mmc-zx.c
index d38e94a..c06b539 100644
--- a/drivers/mmc/host/dw_mmc-zx.c
+++ b/drivers/mmc/host/dw_mmc-zx.c
@@ -195,6 +195,7 @@ static int dw_mci_zx_parse_dt(struct dw_mci *host)

  static const struct dw_mci_drv_data zx_drv_data = {
         .caps                   = zx_dwmmc_caps,
+       .num_caps               = ARRAY_SIZE(zx_dwmmc_caps),
         .execute_tuning         = dw_mci_zx_execute_tuning,
         .prepare_hs400_tuning   = dw_mci_zx_prepare_hs400_tuning,
         .parse_dt               = dw_mci_zx_parse_dt,
diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
index d9128a5..aecc3e2 100644
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -2783,8 +2783,15 @@ static int dw_mci_init_slot_caps(struct dw_mci_slot *slot)
         } else {
                 ctrl_id = to_platform_device(host->dev)->id;
         }
-       if (drv_data && drv_data->caps)
+
+       if (drv_data && drv_data->caps) {
+               if (ctrl_id >= drv_data->num_caps) {
+                       dev_err(host->dev, "invalid controller id %d\n",
+                               ctrl_id);
+                       return -EINVAL;
+               }
                 mmc->caps |= drv_data->caps[ctrl_id];
+       }

         if (host->pdata->caps2)
                 mmc->caps2 = host->pdata->caps2;
diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
index e3124f0..1424bd4 100644
--- a/drivers/mmc/host/dw_mmc.h
+++ b/drivers/mmc/host/dw_mmc.h
@@ -543,6 +543,7 @@ struct dw_mci_slot {
  /**
   * dw_mci driver data - dw-mshc implementation specific driver data.
   * @caps: mmc subsystem specified capabilities of the controller(s).
+ * @num_caps: number of capabilities specified by @caps.
   * @init: early implementation specific initialization.
   * @set_ios: handle bus specific extensions.
   * @parse_dt: parse implementation specific device tree properties.
@@ -554,6 +555,7 @@ struct dw_mci_slot {
   */
  struct dw_mci_drv_data {
         unsigned long   *caps;
+       u32             num_caps;
         int             (*init)(struct dw_mci *host);
         void            (*set_ios)(struct dw_mci *host, struct mmc_ios *ios);
         int             (*parse_dt)(struct dw_mci *host);
--
1.9.1







--
Best Regards
Shawn Lin

--
To unsubscribe from this list: send the line "unsubscribe linux-mmc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






