| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120514041757.GB9750@kroah.com>
Date: Sun, 13 May 2012 21:17:57 -0700
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: Colin Cross <ccross@...roid.com>
Cc: Anton Vorontsov <anton.vorontsov@...aro.org>,
Kees Cook <keescook@...omium.org>,
Arnd Bergmann <arnd@...db.de>,
John Stultz <john.stultz@...aro.org>, arve@...roid.com,
Rebecca Schultz Zavin <rebecca@...roid.com>,
Jesper Juhl <jj@...osbits.net>,
Randy Dunlap <rdunlap@...otime.net>,
Stephen Boyd <sboyd@...eaurora.org>,
Thomas Meyer <thomas@...3r.de>,
Andrew Morton <akpm@...ux-foundation.org>,
Marco Stornelli <marco.stornelli@...il.com>,
WANG Cong <xiyou.wangcong@...il.com>,
linux-kernel@...r.kernel.org, devel@...verdev.osuosl.org,
linaro-kernel@...ts.linaro.org, patches@...aro.org,
kernel-team@...roid.com
Subject: Re: [PATCH 02/11] persistent_ram: Fix buffer size clamping during
writes
On Sun, May 13, 2012 at 08:23:58PM -0700, Colin Cross wrote:
> On Fri, May 11, 2012 at 5:17 PM, Anton Vorontsov
> <anton.vorontsov@...aro.org> wrote:
> > This is a longstanding bug, almost unnoticeable when calling
> > persistent_ram_write() for small buffers.
> >
> > But when called for large data buffers, the write routine behaves
> > incorrectly, as the size may never update: instead of clamping
> > the size to the maximum buffer size, buffer_size_add_clamp() returns
> > an error (which is never checked by the write routine, btw).
> >
> > To fix this, we now use buffer_size_add() that actually clamps the
> > size to the max value.
> >
> > Also remove buffer_size_add_clamp(), it is no longer needed.
> >
> > Signed-off-by: Anton Vorontsov <anton.vorontsov@...aro.org>
> > ---
> > drivers/staging/android/persistent_ram.c | 19 +------------------
> > 1 file changed, 1 insertion(+), 18 deletions(-)
> >
> > diff --git a/drivers/staging/android/persistent_ram.c b/drivers/staging/android/persistent_ram.c
> > index 12444fd..13a12bc 100644
> > --- a/drivers/staging/android/persistent_ram.c
> > +++ b/drivers/staging/android/persistent_ram.c
> > @@ -79,23 +79,6 @@ static inline void buffer_size_add(struct persistent_ram_zone *prz, size_t a)
> > } while (atomic_cmpxchg(&prz->buffer->size, old, new) != old);
> > }
> >
> > -/* increase the size counter, retuning an error if it hits the max size */
> > -static inline ssize_t buffer_size_add_clamp(struct persistent_ram_zone *prz,
> > - size_t a)
> > -{
> > - size_t old;
> > - size_t new;
> > -
> > - do {
> > - old = atomic_read(&prz->buffer->size);
> > - new = old + a;
> > - if (new > prz->buffer_size)
> > - return -ENOMEM;
> > - } while (atomic_cmpxchg(&prz->buffer->size, old, new) != old);
> > -
> > - return 0;
> > -}
> > -
> > static void notrace persistent_ram_encode_rs8(struct persistent_ram_zone *prz,
> > uint8_t *data, size_t len, uint8_t *ecc)
> > {
> > @@ -300,7 +283,7 @@ int notrace persistent_ram_write(struct persistent_ram_zone *prz,
> > c = prz->buffer_size;
> > }
> >
> > - buffer_size_add_clamp(prz, c);
> > + buffer_size_add(prz, c);
> >
> > start = buffer_start_add(prz, c);
> >
> > --
> > 1.7.9.2
> >
>
> Acked-by: Colin Cross <ccross@...roid.com>
>
> This is a bug fix for a bug introduced in 3.4-rc1, it should go into
> 3.4 if there is another rc.
I'll queue it up for 3.4.1.
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists