lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Sat, 22 Nov 2008 10:56:05 +0100
From:	Takashi Iwai <tiwai@...e.de>
To:	Andrew Morton <akpm@...ux-foundation.org>
Cc:	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] Fix array overflow in parport_serial.c

At Fri, 21 Nov 2008 14:16:21 -0800,
Andrew Morton wrote:
> 
> On Thu, 20 Nov 2008 17:35:20 +0100
> Takashi Iwai <tiwai@...e.de> wrote:
> 
> > Subject: [PATCH] Fix array overflow in parport_serial.c
> 
> Please prefer titles in the form
> 
> 	subsystem identifer: what was done to it
> 
> I renamed this one to
> 
> 	parport_serial: fix array overflow

Yep, better.  Thanks.

> > Date: Thu, 20 Nov 2008 17:35:20 +0100
> > User-Agent: Wanderlust/2.12.0 (Your Wildest Dreams) SEMI/1.14.6 (Maruoka)
> >  FLIM/1.14.7 (Sanj__) APEL/10.6 Emacs/22.3
> >  (x86_64-suse-linux-gnu) MULE/5.0 (SAKAKI)
> > 
> > The netmos_9xx5_combo type assumes that PCI SSID provides always the
> > correct value for the number of parallel and serial ports, but there
> > are indeed broken devices with wrong numbers, which may result in
> > Oops.
> > 
> > This patch simply adds the check of the array range.
> > 
> > Reference: Novell bnc#447067
> > 	https://bugzilla.novell.com/show_bug.cgi?id=447067
> > 
> > Signed-off-by: Takashi Iwai <tiwai@...e.de>
> > 
> > ---
> > diff --git a/drivers/parport/parport_serial.c b/drivers/parport/parport_serial.c
> > index e2e95b3..101ed49 100644
> > --- a/drivers/parport/parport_serial.c
> > +++ b/drivers/parport/parport_serial.c
> > @@ -70,6 +70,8 @@ static int __devinit netmos_parallel_init(struct pci_dev *dev, struct parport_pc
> >  	 * parallel ports and <S> is the number of serial ports.
> >  	 */
> >  	card->numports = (dev->subsystem_device & 0xf0) >> 4;
> > +	if (card->numports > ARRAY_SIZE(card->addr))
> 
> hm.  ARRAY_SIZE returns an unsigned type so we don't have to worry
> about negative values when doing comparisons like this.  Not that
> card->numports could be negative anyway, but it's always nice to set
> readers' minds at rest..

I think changing numports to unsigned is the easiest way.

> > +		card->numports = ARRAY_SIZE(card->addr);
> >  	return 0;
> >  }
> 
> 
> Should we emit some kind of warning when this is detected?  I guess
> not, if we're sure that there will never be a situation in which users
> find that some of their ports don't work?

I thought of that, too, but wanted to make the change minimum.

Besides that, I'm not sure whether netmos_parallel_init() really works
as its description.  It changes numports, but it doesn't change the
addr[].  In cards[], only one item is defined, thus all of the reset
point BAR 0.

I made the patch just to fix the oops, but this code should be fixed
in a better way, anyway.


thanks,

Takashi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ