mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH v2] ARM: i.MX7: esdctl: fix out-of-bounds read on memory size calculation
@ 2022-05-13 13:53 Ahmad Fatoum
  2022-05-16  8:09 ` Sascha Hauer
  0 siblings, 1 reply; 2+ messages in thread
From: Ahmad Fatoum @ 2022-05-13 13:53 UTC (permalink / raw)
  To: barebox; +Cc: Joacim Zetterling, Ahmad Fatoum

addrmap[] has 9 elements on i.MX8M platforms and 7 elements on i.MX7.
Checking unconditionally for addrmap[8] is thus out-of-bounds on the
i.MX7. Get both arrays to the same size to fix this. This is ok,
because an addrmap of 0 is a no-op.

Fixes: 42d45ef380c5 ("ARM: imx: Add imx8 support for SDRAM with two or more bank groups")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
v1 -> v2:
  - Just align array sizes to reduce surprise. No functional change
 arch/arm/mach-imx/esdctl.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/arch/arm/mach-imx/esdctl.c b/arch/arm/mach-imx/esdctl.c
index d3dbfff423da..c1ed2f0b2fd4 100644
--- a/arch/arm/mach-imx/esdctl.c
+++ b/arch/arm/mach-imx/esdctl.c
@@ -350,6 +350,8 @@ static int vf610_ddrmc_add_mem(void *mmdcbase, struct imx_esdctl_data *data)
 #define DDRC_ADDRMAP8_BG_B1			GENMASK(13,  8)
 #define DDRC_ADDRMAP8_BG_B0			GENMASK(4,  0)
 
+#define DDRC_ADDRMAP_LENGTH			9
+
 static unsigned int
 imx_ddrc_count_bits(unsigned int bits, const u8 config[],
 		     unsigned int config_num)
@@ -365,7 +367,7 @@ imx_ddrc_count_bits(unsigned int bits, const u8 config[],
 }
 
 static resource_size_t
-imx_ddrc_sdram_size(void __iomem *ddrc, const u32 addrmap[],
+imx_ddrc_sdram_size(void __iomem *ddrc, const u32 addrmap[DDRC_ADDRMAP_LENGTH],
 		    u8 col_max, const u8 col_b[], unsigned int col_b_num,
 		    u8 row_max, const u8 row_b[], unsigned int row_b_num,
 		    bool reduced_adress_space, bool is_imx8)
@@ -446,7 +448,7 @@ imx_ddrc_sdram_size(void __iomem *ddrc, const u32 addrmap[],
 
 static resource_size_t imx8m_ddrc_sdram_size(void __iomem *ddrc)
 {
-	const u32 addrmap[] = {
+	const u32 addrmap[DDRC_ADDRMAP_LENGTH] = {
 		readl(ddrc + DDRC_ADDRMAP(0)),
 		readl(ddrc + DDRC_ADDRMAP(1)),
 		readl(ddrc + DDRC_ADDRMAP(2)),
@@ -498,7 +500,7 @@ static int imx8m_ddrc_add_mem(void *mmdcbase, struct imx_esdctl_data *data)
 
 static resource_size_t imx7d_ddrc_sdram_size(void __iomem *ddrc)
 {
-	const u32 addrmap[] = {
+	const u32 addrmap[DDRC_ADDRMAP_LENGTH] = {
 		readl(ddrc + DDRC_ADDRMAP(0)),
 		readl(ddrc + DDRC_ADDRMAP(1)),
 		readl(ddrc + DDRC_ADDRMAP(2)),
-- 
2.30.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH v2] ARM: i.MX7: esdctl: fix out-of-bounds read on memory size calculation
  2022-05-13 13:53 [PATCH v2] ARM: i.MX7: esdctl: fix out-of-bounds read on memory size calculation Ahmad Fatoum
@ 2022-05-16  8:09 ` Sascha Hauer
  0 siblings, 0 replies; 2+ messages in thread
From: Sascha Hauer @ 2022-05-16  8:09 UTC (permalink / raw)
  To: Ahmad Fatoum; +Cc: barebox, Joacim Zetterling

On Fri, May 13, 2022 at 03:53:52PM +0200, Ahmad Fatoum wrote:
> addrmap[] has 9 elements on i.MX8M platforms and 7 elements on i.MX7.
> Checking unconditionally for addrmap[8] is thus out-of-bounds on the
> i.MX7. Get both arrays to the same size to fix this. This is ok,
> because an addrmap of 0 is a no-op.
> 
> Fixes: 42d45ef380c5 ("ARM: imx: Add imx8 support for SDRAM with two or more bank groups")
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
> v1 -> v2:
>   - Just align array sizes to reduce surprise. No functional change
>  arch/arm/mach-imx/esdctl.c | 8 +++++---
>  1 file changed, 5 insertions(+), 3 deletions(-)

Applied, thanks

Sascha

> 
> diff --git a/arch/arm/mach-imx/esdctl.c b/arch/arm/mach-imx/esdctl.c
> index d3dbfff423da..c1ed2f0b2fd4 100644
> --- a/arch/arm/mach-imx/esdctl.c
> +++ b/arch/arm/mach-imx/esdctl.c
> @@ -350,6 +350,8 @@ static int vf610_ddrmc_add_mem(void *mmdcbase, struct imx_esdctl_data *data)
>  #define DDRC_ADDRMAP8_BG_B1			GENMASK(13,  8)
>  #define DDRC_ADDRMAP8_BG_B0			GENMASK(4,  0)
>  
> +#define DDRC_ADDRMAP_LENGTH			9
> +
>  static unsigned int
>  imx_ddrc_count_bits(unsigned int bits, const u8 config[],
>  		     unsigned int config_num)
> @@ -365,7 +367,7 @@ imx_ddrc_count_bits(unsigned int bits, const u8 config[],
>  }
>  
>  static resource_size_t
> -imx_ddrc_sdram_size(void __iomem *ddrc, const u32 addrmap[],
> +imx_ddrc_sdram_size(void __iomem *ddrc, const u32 addrmap[DDRC_ADDRMAP_LENGTH],
>  		    u8 col_max, const u8 col_b[], unsigned int col_b_num,
>  		    u8 row_max, const u8 row_b[], unsigned int row_b_num,
>  		    bool reduced_adress_space, bool is_imx8)
> @@ -446,7 +448,7 @@ imx_ddrc_sdram_size(void __iomem *ddrc, const u32 addrmap[],
>  
>  static resource_size_t imx8m_ddrc_sdram_size(void __iomem *ddrc)
>  {
> -	const u32 addrmap[] = {
> +	const u32 addrmap[DDRC_ADDRMAP_LENGTH] = {
>  		readl(ddrc + DDRC_ADDRMAP(0)),
>  		readl(ddrc + DDRC_ADDRMAP(1)),
>  		readl(ddrc + DDRC_ADDRMAP(2)),
> @@ -498,7 +500,7 @@ static int imx8m_ddrc_add_mem(void *mmdcbase, struct imx_esdctl_data *data)
>  
>  static resource_size_t imx7d_ddrc_sdram_size(void __iomem *ddrc)
>  {
> -	const u32 addrmap[] = {
> +	const u32 addrmap[DDRC_ADDRMAP_LENGTH] = {
>  		readl(ddrc + DDRC_ADDRMAP(0)),
>  		readl(ddrc + DDRC_ADDRMAP(1)),
>  		readl(ddrc + DDRC_ADDRMAP(2)),
> -- 
> 2.30.2
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-05-16  8:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-13 13:53 [PATCH v2] ARM: i.MX7: esdctl: fix out-of-bounds read on memory size calculation Ahmad Fatoum
2022-05-16  8:09 ` Sascha Hauer

mail archive of the barebox mailing list

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://lore.barebox.org/barebox/0 barebox/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 barebox barebox/ https://lore.barebox.org/barebox \
		barebox@lists.infradead.org barebox@lists.infradead.org
	public-inbox-index barebox

Example config snippet for mirrors.


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git