lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1592278.pD8vu465lA@sigyn>
Date:	Wed, 23 Apr 2014 14:31:42 +0200
From:	Michal Malý <madcatxster@...oid-pointer.net>
To:	Oliver Neukum <oneukum@...e.de>
Cc:	linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
	dmitry.torokhov@...il.com, jkosina@...e.cz, elias.vds@...il.com,
	anssi.hannula@....fi, simon@...gewell.org
Subject: Re: [PATCH v2 11/24] input: Port hid-holtekff to ff-memless-next

On Wednesday 23 of April 2014 14:17:50 Oliver Neukum wrote:
> On Tue, 2014-04-22 at 15:59 +0200, Michal Malý wrote:
> >  static int holtekff_play(struct input_dev *dev, void *data,
> > 
> > -                        struct ff_effect *effect)
> > +                        const struct mlnx_effect_command *command)
> > 
> >  {
> >  
> >         struct hid_device *hid = input_get_drvdata(dev);
> >         struct holtekff_device *holtekff = data;
> > 
> > +       const struct mlnx_rumble_force *rumble_force =
> > &command->u.rumble_force;
> > 
> >         int left, right;
> >         /* effect type 1, length 65535 msec */
> >         u8 buf[HOLTEKFF_MSG_LENGTH] =
> >         
> >                 { 0x01, 0x01, 0xff, 0xff, 0x10, 0xe0, 0x00 };
> 
> On the kernel stack.
> 
> > -       left = effect->u.rumble.strong_magnitude;
> > -       right = effect->u.rumble.weak_magnitude;
> > -       dbg_hid("called with 0x%04x 0x%04x\n", left, right);
> > +       switch (command->cmd) {
> > +       case MLNX_START_RUMBLE:
> > +               left = rumble_force->strong;
> > +               right = rumble_force->weak;
> > +               dbg_hid("called with 0x%04x 0x%04x\n", left, right);
> > 
> > -       if (!left && !right) {
> > -               holtekff_send(holtekff, hid, stop_all6);
> > -               return 0;
> > -       }
> > +               if (!left && !right) {
> > +                       holtekff_send(holtekff, hid, stop_all6);
> > +                       return 0;
> > +               }
> > 
> > -       if (left)
> > -               buf[1] |= 0x80;
> > -       if (right)
> > -               buf[1] |= 0x40;
> > +               if (left)
> > +                       buf[1] |= 0x80;
> > +               if (right)
> > +                       buf[1] |= 0x40;
> > 
> > -       /* The device takes a single magnitude, so we just sum them
> > up. */
> > -       buf[6] = min(0xf, (left >> 12) + (right >> 12));
> > +               /* The device takes a single magnitude, so we just sum
> > them up. */
> > +               buf[6] = min(0xf, (left >> 12) + (right >> 12));
> > 
> > -       holtekff_send(holtekff, hid, buf);
> > -       holtekff_send(holtekff, hid, start_effect_1);
> > +               holtekff_send(holtekff, hid, buf);
> > +               holtekff_send(holtekff, hid, start_effect_1);
> > +               return 0;
> > +       case MLNX_STOP_RUMBLE:
> > +               holtekff_send(holtekff, hid, stop_all6);
> > +               return 0;
> > +       default:
> > +               return -EINVAL;
> > +       }
> > 
> >         return 0;
> >  
> >  }
> 
> This looks very much like doing DMA on the kernel stack.
> That is very strictly forbidden. The bug is also in the current
> code, but would you care to fix it up?

Okay, I'll look into it.

Michal

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ