diff mbox series

clk: bcm: rpi: Fix an out-of-bound access to raspberrypi_clk_variants

Message ID 20221008144544.283945-1-xukuohai@huaweicloud.com (mailing list archive)
State New, archived
Headers show
Series clk: bcm: rpi: Fix an out-of-bound access to raspberrypi_clk_variants | expand

Commit Message

Xu Kuohai Oct. 8, 2022, 2:45 p.m. UTC 
From: Xu Kuohai <xukuohai@huawei.com>

KASAN reports an out-of-bound access to raspberrypi_clk_variants[]:

==================================================================
BUG: KASAN: global-out-of-bounds in raspberrypi_clk_probe+0x1dc/0x690
Read of size 1 at addr ffffcc7116d615a0 by task kworker/u8:0/8

CPU: 1 PID: 8 Comm: kworker/u8:0 Not tainted 6.0.0-rc3-00900-g08f4df4a3c53 raspberrypi#10
Hardware name: Raspberry Pi 4 Model B Rev 1.4 (DT)
Workqueue: events_unbound deferred_probe_work_func
Call trace:
  dump_backtrace.part.0+0xd4/0xf4
  show_stack+0x24/0x7c
  dump_stack_lvl+0x68/0x84
  print_report+0x130/0x620
  kasan_report+0x94/0x160
  __asan_load1+0x68/0x74
  raspberrypi_clk_probe+0x1dc/0x690
  platform_probe+0x98/0x12c
  really_probe+0x118/0x42c
  __driver_probe_device+0xc0/0x150
  driver_probe_device+0x64/0x1c0
  __device_attach_driver+0x128/0x1ac
  bus_for_each_drv+0xf8/0x17c
  __device_attach+0x128/0x294
  device_initial_probe+0x20/0x40
  bus_probe_device+0xf8/0x120
  deferred_probe_work_func+0xf4/0x150
  process_one_work+0x3c4/0x800
  worker_thread+0x3dc/0x6b4
  kthread+0x194/0x1b0
  ret_from_fork+0x10/0x20

The buggy address belongs to the variable:
  raspberrypi_clk_variants+0x1e0/0xaa0

The buggy address belongs to the virtual mapping at
                [ffffcc7116a00000, ffffcc7117061000) created by:
                paging_init+0x2b8/0x7a8

The buggy address belongs to the physical page:
page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2961
flags: 0x3fffc0000001000(reserved|node=0|zone=0|lastcpupid=0xffff)
raw: 03fffc0000001000 fffffcb2ee0a5848 fffffcb2ee0a5848 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffffcc7116d61480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffcc7116d61500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 >ffffcc7116d61580: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
                                ^
  ffffcc7116d61600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffffcc7116d61680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Since raspberrypi_clk_variants[] size is RPI_FIRMWARE_NUM_CLK_ID, fix it
by making the access index clks->id less than RPI_FIRMWARE_NUM_CLK_ID and
setting clks[RPI_FIRMWARE_NUM_CLK_ID - 1].id to 0.

Fixes: 12c90f3f27bb ("clk: bcm: rpi: Add variant structure")
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
---
 drivers/clk/bcm/clk-raspberrypi.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Stefan Wahren Oct. 8, 2022, 5:07 p.m. UTC | #1 
Hi Xu,

Am 08.10.22 um 16:45 schrieb Xu Kuohai:
> From: Xu Kuohai <xukuohai@huawei.com>
>
> KASAN reports an out-of-bound access to raspberrypi_clk_variants[]:
>
> ==================================================================
> BUG: KASAN: global-out-of-bounds in raspberrypi_clk_probe+0x1dc/0x690
> Read of size 1 at addr ffffcc7116d615a0 by task kworker/u8:0/8
>
> CPU: 1 PID: 8 Comm: kworker/u8:0 Not tainted 6.0.0-rc3-00900-g08f4df4a3c53 raspberrypi#10

this kernel is a little bit older and doesn't contain bc163555603e 
("clk: bcm: rpi: Prevent out-of-bounds access").

Can you please check Linux 6.0?

Best regards
Xu Kuohai Oct. 9, 2022, 3:34 a.m. UTC | #2 
On 10/9/2022 1:07 AM, Stefan Wahren wrote:
> Hi Xu,
> 
> Am 08.10.22 um 16:45 schrieb Xu Kuohai:
>> From: Xu Kuohai <xukuohai@huawei.com>
>>
>> KASAN reports an out-of-bound access to raspberrypi_clk_variants[]:
>>
>> ==================================================================
>> BUG: KASAN: global-out-of-bounds in raspberrypi_clk_probe+0x1dc/0x690
>> Read of size 1 at addr ffffcc7116d615a0 by task kworker/u8:0/8
>>
>> CPU: 1 PID: 8 Comm: kworker/u8:0 Not tainted 6.0.0-rc3-00900-g08f4df4a3c53 raspberrypi#10
> 
> this kernel is a little bit older and doesn't contain bc163555603e ("clk: bcm: rpi: Prevent out-of-bounds access").
> 
> Can you please check Linux 6.0?
> 

Yes, the kernel branch I used was not updated, and the KASAN warning was gone after switching to 6.0 kernel, thanks.

> Best regards
>
diff mbox series

Patch

diff --git a/drivers/clk/bcm/clk-raspberrypi.c b/drivers/clk/bcm/clk-raspberrypi.c
index 73518009a0f2..3ad0d2d2e3b6 100644
--- a/drivers/clk/bcm/clk-raspberrypi.c
+++ b/drivers/clk/bcm/clk-raspberrypi.c
@@ -356,10 +356,12 @@  static int raspberrypi_discover_clocks(struct raspberrypi_clk *rpi,
 	if (ret)
 		return ret;
 
+	clks[RPI_FIRMWARE_NUM_CLK_ID - 1].id = 0;
+
 	while (clks->id) {
 		struct raspberrypi_clk_variant *variant;
 
-		if (clks->id > RPI_FIRMWARE_NUM_CLK_ID) {
+		if (clks->id >= RPI_FIRMWARE_NUM_CLK_ID) {
 			dev_err(rpi->dev, "Unknown clock id: %u", clks->id);
 			return -EINVAL;
 		}