lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200707241026.46814.hjk@linutronix.de>
Date:	Tue, 24 Jul 2007 10:26:46 +0200
From:	Hans-Jürgen Koch <hjk@...utronix.de>
To:	Jean Delvare <khali@...ux-fr.org>
Cc:	Adrian Bunk <bunk@...sta.de>,
	"Mark M. Hoffman" <mhoffman@...htlink.com>,
	linux-kernel@...r.kernel.org, lm-sensors@...sensors.org
Subject: Re: [lm-sensors] drivers/hwmon/lm93.c: array overruns

Am Dienstag 24 Juli 2007 10:10 schrieb Jean Delvare:
> Hi Hans,
> 
> On Mon, 23 Jul 2007 09:36:57 +0200, Hans-Jürgen Koch wrote:
> > Am Montag 23 Juli 2007 02:54 schrieb Adrian Bunk:
> > > The Coverity checker spotted the following array overruns
> > > in drivers/hwmon/lm93.c:
> > > 
> > > <--  snip  -->
> > > 
> > > ...
> > > struct lm93_data {
> > > ...
> > >         struct {
> > >                 u8 min;
> > >                 u8 max;
> > >         } temp_lim[3];
> > > ...
> > > };
> > > ...
> > > static void lm93_update_client_common(struct lm93_data *data,
> > >                                       struct i2c_client *client)
> > > {
> > > ...
> > >         for (i = 0; i < 4; i++) {
> > >                 data->temp_lim[i].min =
> > >                         lm93_read_byte(client, LM93_REG_TEMP_MIN(i));
> > >                 data->temp_lim[i].max =
> > >                         lm93_read_byte(client, LM93_REG_TEMP_MAX(i));
> > >         }
> > > ...
> > > 
> > > <--  snip  -->
> > 
> > This patch should fix it. Thanks a lot, Adrian!
> > 
> > ----
> > This fixes an array overflow bug. We have 4 pairs of min/max temperature 
> > limits, not 3.
> > 
> > Signed-off-by: Hans J. Koch <hjk@...utronix.de>
> > 
> > --
> > Index: linux-2.6.23-rc/drivers/hwmon/lm93.c
> > ===================================================================
> > --- linux-2.6.23-rc.orig/drivers/hwmon/lm93.c	2007-07-23 09:22:56.000000000 +0200
> > +++ linux-2.6.23-rc/drivers/hwmon/lm93.c	2007-07-23 09:29:37.000000000 +0200
> > @@ -234,7 +234,7 @@
> >  	struct {
> >  		u8 min;
> >  		u8 max;
> > -	} temp_lim[3];
> > +	} temp_lim[4];
> >  
> >  	/* vin1 - vin16: low and high limits */
> >  	struct {
> 
> This will do as a quick fix, so:
> 
> Acked-by: Jean Delvare <khali@...ux-fr.org>
> 
> However, I see that temp4 (which isn't a real temperature channel) is
> not exposed in sysfs. Reading and storing register values you never use
> doesn't seem particularly interesting, so something needs to be done
> here: either drop support for temp4 entirely, or expose the temp4
> values in sysfs.

I've got that on my TODO list. I'll soon work on that driver again. I'm still
waiting for that #§$?& NDA-covered datasheet of the LM94. As soon as I've got
that, I need to review all these values anyway because there might be subtle
differences between LM93 and LM94.
For the moment, I'd like to postpone the decision about what to do with temp4.

Thanks anyway for pointing this out.

Hans
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ