[PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds access of BAM arrays

Lakshmi Sowjanya D (QUIC) quic_laksd at quicinc.com
Tue May 27 23:11:17 PDT 2025 


> -----Original Message-----
> From: Gabor Juhos <j4g8y7 at gmail.com>
> Sent: Tuesday, May 27, 2025 1:31 AM
> To: Md Sadre Alam (QUIC) <quic_mdalam at quicinc.com>; Mark Brown
> <broonie at kernel.org>; Varadarajan Narayanan (QUIC)
> <quic_varada at quicinc.com>; Sricharan Ramabadhran (QUIC)
> <quic_srichara at quicinc.com>; Miquel Raynal <miquel.raynal at bootlin.com>;
> Richard Weinberger <richard at nod.at>; Vignesh Raghavendra
> <vigneshr at ti.com>
> Cc: linux-spi at vger.kernel.org; linux-mtd at lists.infradead.org; linux-arm-
> msm at vger.kernel.org; linux-kernel at vger.kernel.org; Lakshmi Sowjanya D
> (QUIC) <quic_laksd at quicinc.com>
> Subject: Re: [PATCH 2/2] mtd: nand: qpic_common: prevent out of bounds
> access of BAM arrays
> 
> 2025. 05. 26. 8:53 keltezéssel, Md Sadre Alam írta:
> > Hi,
> >
> > On 5/25/2025 10:35 PM, Gabor Juhos wrote:
> >> The common QPIC code does not do any boundary checking when it
> >> handles the command elements and scatter gater list arrays of a BAM
> >> transaction, thus it allows to access out of bounds elements in those.
> >>
> >> Although it is the responsibility of the given driver to allocate
> >> enough space for all possible BAM transaction variations, however
> >> there can be mistakes in the driver code which can lead to hidden
> >> memory corruption issues which are hard to debug.
> >>
> >> This kind of problem has been observed during testing the 'spi-qpic-snand'
> >> driver. Although the driver has been fixed with a preceding patch,
> >> but it still makes sense to reduce the chance of having such errors again
> later.
> >>
> >> In order to prevent such errors, change the
> >> qcom_alloc_bam_transaction() function to store the number of elements
> >> of the arrays in the 'bam_transaction' strucutre during allocation.
> >> Also, add sanity checks to the qcom_prep_bam_dma_desc_{cmd,data}()
> >> functions to avoid using out of bounds indices for the arrays.
> >>
> >> Tested with the 'spi-qpic-snand' driver only.
> > I recommend testing this patch on both the IPQ and SDX platforms, as
> > the QPIC raw NAND driver are utilized across both.
> >
> > If you have access to IPQ and SDX devices with raw NAND, please
> > proceed with testing on both.
> 
> Sorry, I have no SDX devices at all, and unfortunately I can't access my older
> IPQ boards before next week.
> 
> >
> > Otherwise, I can handle testing on the IPQ raw NAND device and
> > coordinate with Lakshmi Sowjanya D (quic_laksd at quicinc.com) for
> > testing on the SDX platform.
> 
> If you could do some testing in the meantime, that would be superb.
> Thanks for that in advance!
> 
> Regards,
> Gabor

Tested-by: Lakshmi Sowjanya D <quic_laksd at quicinc.com>     # on SDX75

--
Regards
Lakshmi Sowjanya

More information about the linux-mtd mailing list