[lvc-project] [PATCH 6.1 1/1] objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq()
Fedor Pchelkin
pchelkin at ispras.ru
Fri Jun 20 13:04:27 MSK 2025
On Thu, 19. Jun 14:23, Dmitriy Privalov wrote:
> From: Josh Poimboeuf <jpoimboe at kernel.org>
>
> commit 76e51db43fe4aaaebcc5ddda67b0807f7c9bdecc upstream.
Здесь мне совсем не удалось понять надобность патча для 6.1.
>
> If speed_hz < AMD_SPI_MIN_HZ, amd_set_spi_freq() iterates over the
> entire amd_spi_freq array without breaking out early, causing 'i' to go
> beyond the array bounds.
То есть проблема может быть, если speed_hz < AMD_SPI_MIN_HZ.
Но в 6.1.y отсутствует
commit e6204f39fe3a7b4538815a2d778b601bd543649e
Author: Miquel Raynal <miquel.raynal at bootlin.com>
Date: Tue Dec 24 18:05:49 2024 +0100
spi: amd: Drop redundant check
Both spi and spi-mem cores already take care of checking the minimum and
maximum speed for transfers depending on the controller
capabilities. There is no reason to repeat this check in controller
drivers.
Once this possible error condition removed from the function, it makes
no longer sense to return an int.
Signed-off-by: Miquel Raynal <miquel.raynal at bootlin.com>
Link: https://patch.msgid.link/20241224-winbond-6-11-rc1-quad-support-v2-4-ad218dbc406f@bootlin.com
Signed-off-by: Mark Brown <broonie at kernel.org>
>
> Fix that by stopping the loop when it gets to the last entry, so the low
> speed_hz value gets clamped up to AMD_SPI_MIN_HZ.
>
> Fixes the following warning with an UBSAN kernel:
>
> drivers/spi/spi-amd.o: error: objtool: amd_set_spi_freq() falls through to next function amd_spi_set_opcode()
Думаю, это вполне можно попробовать воспроизвести или же убедиться в
невоспроизводимости при самостоятельной сборке 6.1-ядра с нужными
конфиг-опциями и компилятором.
>
> Fixes: 3fe26121dc3a ("spi: amd: Configure device speed")
> Reported-by: kernel test robot <lkp at intel.com>
> Signed-off-by: Josh Poimboeuf <jpoimboe at kernel.org>
> Signed-off-by: Ingo Molnar <mingo at kernel.org>
> Acked-by: Mark Brown <broonie at kernel.org>
> Cc: Raju Rangoju <Raju.Rangoju at amd.com>
> Cc: Linus Torvalds <torvalds at linux-foundation.org>
> Link: https://lore.kernel.org/r/78fef0f2434f35be9095bcc9ffa23dd8cab667b9.1742852847.git.jpoimboe@kernel.org
> Closes: https://lore.kernel.org/r/202503161828.RUk9EhWx-lkp@intel.com/
> Signed-off-by: Dmitriy Privalov <d.privalov at omp.ru>
> ---
Просьба для патчей, фиксящих CVE, кратко указывать в форме
https://portal.linuxtesting.ru/How-to-send-patches-to-kernel.html#Портирование-исправлений-для-известных-уязвимостей
иначе приходится проводить поиск по гитлабу и искать нужную задачу.
> drivers/spi/spi-amd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/spi/spi-amd.c b/drivers/spi/spi-amd.c
> index bfc3ab5f39ea..b53301e563bc 100644
> --- a/drivers/spi/spi-amd.c
> +++ b/drivers/spi/spi-amd.c
> @@ -243,7 +243,7 @@ static int amd_set_spi_freq(struct amd_spi *amd_spi, u32 speed_hz)
> if (speed_hz < AMD_SPI_MIN_HZ)
> return -EINVAL;
>
> - for (i = 0; i < ARRAY_SIZE(amd_spi_freq); i++)
> + for (i = 0; i < ARRAY_SIZE(amd_spi_freq)-1; i++)
> if (speed_hz >= amd_spi_freq[i].speed_hz)
> break;
>
> --
> 2.34.1
More information about the lvc-project
mailing list