From patchwork Wed Nov 23 15:21:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jit Loon Lim <jit.loon.lim@intel.com>
X-Patchwork-Id: 1708385
X-Patchwork-Delegate: marek.vasut@gmail.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=intel.com header.i=@intel.com header.a=rsa-sha256
 header.s=Intel header.b=EzI/l0em;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4NHPxL3nfLz23lT
	for <incoming@patchwork.ozlabs.org>; Thu, 24 Nov 2022 02:21:58 +1100 (AEDT)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 8A11A852C3;
	Wed, 23 Nov 2022 16:21:53 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=intel.com header.i=@intel.com header.b="EzI/l0em";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id 9DF458551E; Wed, 23 Nov 2022 16:21:52 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=0.9 required=5.0 tests=AC_FROM_MANY_DOTS,BAYES_00,
 DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
 SPF_HELO_NONE,SPF_NONE autolearn=no autolearn_force=no version=3.4.2
Received: from mga06.intel.com (mga06b.intel.com [134.134.136.31])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id B2BD2851E7
 for <u-boot@lists.denx.de>; Wed, 23 Nov 2022 16:21:49 +0100 (CET)
Authentication-Results: phobos.denx.de;
 dmarc=pass (p=none dis=none) header.from=intel.com
Authentication-Results: phobos.denx.de;
 spf=none smtp.mailfrom=jitloonl@ecsmtp.png.intel.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
 d=intel.com; i=@intel.com; q=dns/txt; s=Intel;
 t=1669216909; x=1700752909;
 h=from:to:cc:subject:date:message-id:mime-version:
 content-transfer-encoding;
 bh=j9PF55hUIXEVoAQskqCy5zBdqFW0hKCMQjuCXCj59QI=;
 b=EzI/l0emuS0Iq8zTWaI4QDbZdm9WkZ5KouHxMm1LNjCH5/JoxeKu+PvV
 z2yd/hLYSGphgHTSQ9NuUZ0zkUJQetqiXjl+HFUw2e1/Ydk3bpOLM5W/m
 PNAC+kZuG9hpel6MOW3LCJPvut3BKv1AiVTHeAYCGHVIwDFI9m/0eOfsm
 Ew368KZktTSu3Qg3bf4nq5kYcQS5h7lTyuTu2ehavrBNTKqrVxL9rTcFY
 JVqO9XWuiQg1GFpaM6yIvyjsMHxiok3XZ4EIqtTmllgdqAJtCUMbHFoRe
 Abs8lI3y0w6L+goHJfNRCasugtlKPCPQLe0KVXRdAanYTXAGn24xWyffF A==;
X-IronPort-AV: E=McAfee;i="6500,9779,10540"; a="376233679"
X-IronPort-AV: E=Sophos;i="5.96,187,1665471600"; d="scan'208";a="376233679"
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
 by orsmga104.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 23 Nov 2022 07:21:47 -0800
X-ExtLoop1: 1
X-IronPort-AV: E=McAfee;i="6500,9779,10540"; a="705396275"
X-IronPort-AV: E=Sophos;i="5.96,187,1665471600"; d="scan'208";a="705396275"
Received: from pglmail07.png.intel.com ([10.221.193.207])
 by fmsmga008.fm.intel.com with ESMTP; 23 Nov 2022 07:21:43 -0800
Received: from localhost (pgli0028.png.intel.com [10.221.84.177])
 by pglmail07.png.intel.com (Postfix) with ESMTP id 94493482B;
 Wed, 23 Nov 2022 23:21:42 +0800 (+08)
Received: by localhost (Postfix, from userid 12048045)
 id 5F3B1E0095B; Wed, 23 Nov 2022 23:21:42 +0800 (+08)
From: Jit Loon Lim <jit.loon.lim@intel.com>
To: u-boot@lists.denx.de
Cc: Jagan Teki <jagan@amarulasolutions.com>, Vignesh R <vigneshr@ti.com>,
 Marek <marex@denx.de>, Simon <simon.k.r.goldschmidt@gmail.com>,
 Tien Fong <tien.fong.chee@intel.com>, Kok Kiang <kok.kiang.hea@intel.com>,
 Siew Chin <elly.siew.chin.lim@intel.com>, Sin Hui <sin.hui.kho@intel.com>,
 Raaj <raaj.lokanathan@intel.com>, Dinesh <dinesh.maniyam@intel.com>,
 Boon Khai <boon.khai.ng@intel.com>, Alif <alif.zakuan.yuslaimi@intel.com>,
 Teik Heng <teik.heng.chong@intel.com>,
 Hazim <muhammad.hazim.izzat.zamri@intel.com>,
 Jit Loon Lim <jit.loon.lim@intel.com>,
 Sieu Mun Tang <sieu.mun.tang@intel.com>
Subject: [PATCH] ddr: altera: n5x: Ensure 'cal->header.data_len' is validated
Date: Wed, 23 Nov 2022 23:21:41 +0800
Message-Id: <20221123152141.31222-1-jit.loon.lim@intel.com>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.6 at phobos.denx.de
X-Virus-Status: Clean

From: Tien Fong Chee <tien.fong.chee@intel.com>

Klocwork reported the unvalidated integer value 'cal->header.data_len' is
used but this is not a issue because the proper value is calculated before
assigning 'cal->header.data_len' and CRC32 is generated before saving
this value into QSPI to ensure data integrity when reading this variable.

Adding checking on 'cal->header.data_len' to ensure the value is valid for
the sake of good coding practice.

Signed-off-by: Tien Fong Chee <tien.fong.chee@intel.com>
Signed-off-by: Jit Loon Lim <jit.loon.lim@intel.com>
---
 drivers/ddr/altera/sdram_n5x.c | 44 +++++++++++++++++++++++++++-------
 1 file changed, 36 insertions(+), 8 deletions(-)

diff --git a/drivers/ddr/altera/sdram_n5x.c b/drivers/ddr/altera/sdram_n5x.c
index 0e944b7a15..8a5f0a3df4 100644
--- a/drivers/ddr/altera/sdram_n5x.c
+++ b/drivers/ddr/altera/sdram_n5x.c
@@ -1109,8 +1109,8 @@ static void phy_ocram(phys_addr_t phy_base, phys_addr_t phy_offset,
 	}
 }
 
-static void cal_data_ocram(phys_addr_t phy_base, u32 addr,
-			   enum data_process proc)
+static int cal_data_ocram(phys_addr_t phy_base, u32 addr,
+			  enum data_process proc)
 {
 	/*
 	 * This array variable contains a list of PHY registers required for
@@ -1435,6 +1435,13 @@ static void cal_data_ocram(phys_addr_t phy_base, u32 addr,
 			       cal->header.ddrconfig_hash,
 			       CHUNKSZ_PER_WD_RESET);
 
+		if (SOC64_HANDOFF_BASE < ((uintptr_t)(&cal->data) +
+		    cal->header.data_len)) {
+			debug("%s: Backup cal data overflow HPS handoff\n",
+			      __func__);
+			return -ENOEXEC;
+		}
+
 		crc32_wd_buf((u8 *)&cal->data, cal->header.data_len,
 			     (u8 *)&cal->header.caldata_crc32,
 			     CHUNKSZ_PER_WD_RESET);
@@ -1443,6 +1450,8 @@ static void cal_data_ocram(phys_addr_t phy_base, u32 addr,
 	/* Isolate the APB access from internal CSRs */
 	setbits_le16(phy_base + DDR_PHY_APBONLY0_OFFSET,
 		     DDR_PHY_MICROCONTMUXSEL);
+
+	return 0;
 }
 
 static bool is_ddrconfig_hash_match(const void *buffer)
@@ -1559,6 +1568,12 @@ static bool is_cal_bak_data_valid(void)
 		return false;
 	}
 
+	if (SOC64_HANDOFF_BASE < (SOC64_OCRAM_PHY_BACKUP_BASE +
+	    cal->header.data_len + sizeof(struct cal_header_t))) {
+		debug("%s: Backup cal data overflow HPS handoff\n", __func__);
+		return false;
+	}
+
 	/* Load header + DDR bak cal into OCRAM buffer */
 	ret = request_firmware_into_buf(dev,
 					qspi_offset,
@@ -1571,6 +1586,12 @@ static bool is_cal_bak_data_valid(void)
 		return false;
 	}
 
+	if (SOC64_HANDOFF_BASE < ((uintptr_t)(&cal->data) +
+	    cal->header.data_len)) {
+		debug("%s: Backup cal data overflow HPS handoff\n", __func__);
+		return false;
+	}
+
 	crc32_wd_buf((u8 *)&cal->data, cal->header.data_len,
 		     (u8 *)&crc32, CHUNKSZ_PER_WD_RESET);
 	debug("%s: crc32 %x for bak calibration data from QSPI\n", __func__,
@@ -1636,8 +1657,11 @@ static int init_phy(struct ddr_handoff *ddr_handoff_info,
 			ddr_handoff_info->phy_handoff_length,
 			ddr_handoff_info->phy_base);
 	} else {
-		cal_data_ocram(ddr_handoff_info->phy_base,
-			       SOC64_OCRAM_PHY_BACKUP_BASE, LOADING);
+		ret = cal_data_ocram(ddr_handoff_info->phy_base,
+				     SOC64_OCRAM_PHY_BACKUP_BASE, LOADING);
+
+		if (ret)
+			return ret;
 
 		/*
 		 * Invalidate the section used for processing the PHY
@@ -2955,10 +2979,14 @@ int sdram_mmr_init_full(struct udevice *dev)
 			 * Backup calibration data to OCRAM first, these data
 			 * might be permanant stored to flash in later
 			 */
-			if (is_ddr_retention_enabled(reg))
-				cal_data_ocram(ddr_handoff_info.phy_base,
-					       SOC64_OCRAM_PHY_BACKUP_BASE,
-					       STORE);
+			if (is_ddr_retention_enabled(reg)) {
+				ret = cal_data_ocram(ddr_handoff_info.phy_base,
+						   SOC64_OCRAM_PHY_BACKUP_BASE,
+						   STORE);
+
+				if (ret)
+					return ret;
+			}
 
 		} else {
 			/* Updating training result to DDR controller */