lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B6B81AD.40704@windriver.com>
Date:	Fri, 05 Feb 2010 10:25:49 +0800
From:	"stanley.miao" <stanley.miao@...driver.com>
To:	Maxim Levitsky <maximlevitsky@...il.com>
CC:	David Woodhouse <dwmw2@...radead.org>,
	Alex Dubov <oakad@...oo.com>,
	Artem Bityutskiy <dedekind1@...il.com>,
	joern <joern@...fs.org>,
	linux-kernel <linux-kernel@...r.kernel.org>,
	linux-mtd <linux-mtd@...ts.infradead.org>,
	Thomas Gleixner <tglx@...utronix.de>
Subject: Re: [PATCH 11/17] MTD: nand: fix bug that prevented write of more
 that	one page by ->write_oob

ops->ooblen is the oob bytes to write, you add a argument for 
nand_fill_oob to do this,
it is redundant.

I know the bug you want to fix, the ops->ooblen may be illegal. But this 
patch can't this
problem. If (ops->offset + ops->ooblen) > mtd->oobsize, it still will 
write beyond a page.

I think the right method is that nand_do_write_ops do the check like 
nand_do_write_oob,
I have the patch yesterday.

http://patchwork.ozlabs.org/patch/44450/

Stanley.

Maxim Levitsky wrote:
> Although nand_do_write_ops intends to allow such mode, it fails do do so
> Probably this was never tested
>
> Signed-off-by: Maxim Levitsky <maximlevitsky@...il.com>
> ---
>  drivers/mtd/nand/nand_base.c |   16 +++++++++-------
>  1 files changed, 9 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/mtd/nand/nand_base.c b/drivers/mtd/nand/nand_base.c
> index 8ff36be..29e986e 100644
> --- a/drivers/mtd/nand/nand_base.c
> +++ b/drivers/mtd/nand/nand_base.c
> @@ -1879,11 +1879,9 @@ static int nand_write_page(struct mtd_info *mtd, struct nand_chip *chip,
>   * @oob:	oob data buffer
>   * @ops:	oob ops structure
>   */
> -static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob,
> -				  struct mtd_oob_ops *ops)
> +static uint8_t *nand_fill_oob(struct nand_chip *chip, uint8_t *oob, size_t len,
> +						struct mtd_oob_ops *ops)
>   

ops->ooblen is the oob bytes to write, you add a prara

>  {
> -	size_t len = ops->ooblen;
> -
>  	switch(ops->mode) {
>  
>  	case MTD_OOB_PLACE:
> @@ -1938,6 +1936,7 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
>  	int chipnr, realpage, page, blockmask, column;
>  	struct nand_chip *chip = mtd->priv;
>  	uint32_t writelen = ops->len;
> +	uint32_t oobwritelen = ops->ooblen;
>  	uint8_t *oob = ops->oobbuf;
>  	uint8_t *buf = ops->datbuf;
>  	int ret, subpage;
> @@ -1994,8 +1993,11 @@ static int nand_do_write_ops(struct mtd_info *mtd, loff_t to,
>  			wbuf = chip->buffers->databuf;
>  		}
>  
> -		if (unlikely(oob))
> -			oob = nand_fill_oob(chip, oob, ops);
> +		if (unlikely(oob)) {
> +			size_t len = min(oobwritelen, mtd->oobsize);
> +			oob = nand_fill_oob(chip, oob, len, ops);
> +			oobwritelen -= len;
> +		}
>  
>  		ret = chip->write_page(mtd, chip, wbuf, page, cached,
>  				       (ops->mode == MTD_OOB_RAW));
> @@ -2169,7 +2171,7 @@ static int nand_do_write_oob(struct mtd_info *mtd, loff_t to,
>  		chip->pagebuf = -1;
>  
>  	memset(chip->oob_poi, 0xff, mtd->oobsize);
> -	nand_fill_oob(chip, ops->oobbuf, ops);
> +	nand_fill_oob(chip, ops->oobbuf, ops->ooblen, ops);
>  	status = chip->ecc.write_oob(mtd, chip, page & chip->pagemask);
>  	memset(chip->oob_poi, 0xff, mtd->oobsize);
>  
>   

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ