lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20080721153757.460c6a48@debian>
Date:	Mon, 21 Jul 2008 15:37:57 +0800
From:	JiSheng Zhang <jszhang3@...l.ustc.edu.cn>
To:	Mikael Pettersson <mikpe@...uu.se>
Cc:	stefanr@...6.in-berlin.de, linux-kernel@...r.kernel.org,
	linux1394-devel@...ts.sourceforge.net, krh@...planet.net
Subject: Re: PATCH] firewire: add padding to some struct

On Sat, 19 Jul 2008 12:09:18 +0200
Mikael Pettersson <mikpe@...uu.se> wrote:

> JiSheng Zhang writes:
>  > On Fri, 18 Jul 2008 17:27:44 +0200
>  > Mikael Pettersson <mikpe@...uu.se> wrote:
>  > 
>  > > JiSheng Zhang writes:
>  > >  > Hi,
>  > >  > >From: Stefan Richter <stefanr@...6.in-berlin.de>
>  > >  > >Reply-To: 
>  > >  > >To: JiSheng Zhang <jszhang3@...l.ustc.edu.cn>
>  > >  > >Subject: Re: PATCH] firewire: add padding to some struct
>  > >  > >Date:Fri, 18 Jul 2008 13:38:25 +0200
>  > >  > >
>  > >  > >JiSheng Zhang wrote:
>  > >  > > > If p is a pointer to struct fw_cdev_event_response), p->data will point to
>  > >  > the
>  > >  > > > padding data rather than the right place, it will cause problem under some
>  > > 
>  > > Define "the right place". If p->data[] isn't the place for the data,
>  > > then something's seriously wrong with either the producer or the
>  > > consumer of that data -- or the data type definition if either is HW.
>  > > 
>  > >  > > > platforms. For example, in the function handle_device_event of
>  > >  > libraw1394(ported
>  > >  > > > to juju stack):
>  > >  > > > .....
>  > >  > > > case FW_CDEV_EVENT_RESPONSE:
>  > >  > > >     rc = u64_to_ptr(u->response.closure);
>  > >  > > >     if (rc->data != NULL)
>  > >  > > > 	memcpy(rc->data, u->response.data, rc->length);//here it will lost the last
>  > >  > four
>  > >  > > > bytes
>  > >  > > >     errcode = juju_to_raw1394_errcode(u->response.rcode);
>  > >  > > > .....
>  > >  > > > 
>  > >  > > > Although this problem can be solved by add the offset to the pointer, but the
>  > >  > > > member:__u32 data[0] lost its original meaning.
>  > >  > > 
>  > >  > > I don't understand what the problem is.  As long as both kernel and
>  > >  > > library use "response.data" or "&response + offsetof(typeof(response),
>  > >  > > data)", they will write and read at the correct location.
>  > >  > >
>  > >  > This patch can fix the problem while not changing the struct definition.
>  > >  > 
>  > >  > 
>  > >  > Thanks in advance,
>  > >  > JiSheng
>  > >  > 
>  > >  > --- old/drivers/firewire/fw-cdev.c	2008-07-14 05:51:29.000000000 +0800
>  > >  > +++ new/drivers/firewire/fw-cdev.c	2008-07-18 20:20:45.841328585 +0800
>  > >  > @@ -382,9 +382,9 @@
>  > >  >  
>  > >  >  	response->response.type   = FW_CDEV_EVENT_RESPONSE;
>  > >  >  	response->response.rcode  = rcode;
>  > >  > -	queue_event(client, &response->event,
>  > >  > -		    &response->response, sizeof(response->response),
>  > >  > -		    response->response.data, response->response.length);
>  > >  > +	queue_event(client, &response->event, &response->response, 
>  > >  > +		    sizeof(response->response) + response->response.length,
>  > >  > +		    NULL, 0);
>  > >  >  }
>  > > 
>  > > Neither of these look correct.
>  > > If sizeof(struct ...) != offsetof(struct ..., data) as you claim is possible,
>  > > then the old code will copy too much to/from ->response but the correct amount
>  > > to/from ->response.data, and the new code will copy too much to/from ->response.data.
>  > The old code will copy 4 extra bytes totally on some platforms, the new code
>  > is correct.
> The new code is only correct if the variable length payload starts
> after the struct, i.e. (void*)(&response->response + 1), and not at
> the data field, i.e. (void*)response->response.data.
> Which is it? That's why I asked:
Yes, the payload starts at the data field(including the padding bytes). But
there is no problem, "As long as both kernel and library use response.data"
as Stefan said.
> 
>  > > Define "the right place". If p->data[] isn't the place for the data,
>  > > then something's seriously wrong with either the producer or the
>  > > consumer of that data -- or the data type definition if either is HW.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ