| Message ID | 20200902132341.7079-1-vincent.whitchurch@axis.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 837ba18dfcd4db21ad58107c65bfe89753aa56d7 |
| Headers | show |
| Series | spi: spi-loopback-test: Fix out-of-bounds read | expand |
On Wed, 2 Sep 2020 15:23:41 +0200, Vincent Whitchurch wrote: > The "tx/rx-transfer - crossing PAGE_SIZE" test always fails when > len=131071 and rx_offset >= 5: > > spi-loopback-test spi0.0: Running test tx/rx-transfer - crossing PAGE_SIZE > ... > with iteration values: len = 131071, tx_off = 0, rx_off = 3 > with iteration values: len = 131071, tx_off = 0, rx_off = 4 > with iteration values: len = 131071, tx_off = 0, rx_off = 5 > loopback strangeness - rx changed outside of allowed range at: ...a4321000 > spi_msg@ffffffd5a4157690 > frame_length: 131071 > actual_length: 131071 > spi_transfer@ffffffd5a41576f8 > len: 131071 > tx_buf: ffffffd5a4340ffc > > [...] Applied to https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git for-next Thanks! [1/1] spi: spi-loopback-test: Fix out-of-bounds read commit: 837ba18dfcd4db21ad58107c65bfe89753aa56d7 All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark
diff --git a/drivers/spi/spi-loopback-test.c b/drivers/spi/spi-loopback-test.c index 9522d1b5786d..df981e55c24c 100644 --- a/drivers/spi/spi-loopback-test.c +++ b/drivers/spi/spi-loopback-test.c @@ -90,7 +90,7 @@ static struct spi_test spi_tests[] = { { .description = "tx/rx-transfer - crossing PAGE_SIZE", .fill_option = FILL_COUNT_8, - .iterate_len = { ITERATE_MAX_LEN }, + .iterate_len = { ITERATE_LEN }, .iterate_tx_align = ITERATE_ALIGN, .iterate_rx_align = ITERATE_ALIGN, .transfer_count = 1,
The "tx/rx-transfer - crossing PAGE_SIZE" test always fails when len=131071 and rx_offset >= 5: spi-loopback-test spi0.0: Running test tx/rx-transfer - crossing PAGE_SIZE ... with iteration values: len = 131071, tx_off = 0, rx_off = 3 with iteration values: len = 131071, tx_off = 0, rx_off = 4 with iteration values: len = 131071, tx_off = 0, rx_off = 5 loopback strangeness - rx changed outside of allowed range at: ...a4321000 spi_msg@ffffffd5a4157690 frame_length: 131071 actual_length: 131071 spi_transfer@ffffffd5a41576f8 len: 131071 tx_buf: ffffffd5a4340ffc Note that rx_offset > 3 can only occur if the SPI controller driver sets ->dma_alignment to a higher value than 4, so most SPI controller drivers are not affect. The allocated Rx buffer is of size SPI_TEST_MAX_SIZE_PLUS, which is 132 KiB (assuming 4 KiB pages). This test uses an initial offset into the rx_buf of PAGE_SIZE - 4, and a len of 131071, so the range expected to be written in this transfer ends at (4096 - 4) + 5 + 131071 == 132 KiB, which is also the end of the allocated buffer. But the code which verifies the content of the buffer reads a byte beyond the allocated buffer and spuriously fails because this out-of-bounds read doesn't return the expected value. Fix this by using ITERATE_LEN instead of ITERATE_MAX_LEN to avoid testing sizes which cause out-of-bounds reads. Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> --- drivers/spi/spi-loopback-test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)