[PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access of BAM arrays

[Gabor Juhos]

2025. 05. 26. 8:53 keltezéssel, Md Sadre Alam írta:
> Hi,
> 
> On 5/25/2025 10:35 PM, Gabor Juhos wrote:
>> The common QPIC code does not do any boundary checking when it handles
>> the command elements and scatter gater list arrays of a BAM transaction,
>> thus it allows to access out of bounds elements in those.
>>
>> Although it is the responsibility of the given driver to allocate enough
>> space for all possible BAM transaction variations, however there can be
>> mistakes in the driver code which can lead to hidden memory corruption
>> issues which are hard to debug.
>>
>> This kind of problem has been observed during testing the 'spi-qpic-snand'
>> driver. Although the driver has been fixed with a preceding patch, but it
>> still makes sense to reduce the chance of having such errors again later.
>>
>> In order to prevent such errors, change the qcom_alloc_bam_transaction()
>> function to store the number of elements of the arrays in the
>> 'bam_transaction' strucutre during allocation. Also, add sanity checks to
>> the qcom_prep_bam_dma_desc_{cmd,data}() functions to avoid using out of
>> bounds indices for the arrays.
>>
>> Tested with the 'spi-qpic-snand' driver only.
> I recommend testing this patch on both the IPQ and SDX platforms,
> as the QPIC raw NAND driver are utilized across both.
> 
> If you have access to IPQ and SDX devices with raw NAND, please proceed
> with testing on both.

Sorry, I have no SDX devices at all, and unfortunately I can't access my older
IPQ boards before next week.

> 
> Otherwise, I can handle testing on the IPQ raw NAND device and coordinate with
> Lakshmi Sowjanya D (quic_laksd at quicinc.com)
> for testing on the SDX platform.

If you could do some testing in the meantime, that would be superb.
Thanks for that in advance!

Regards,
Gabor