lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140918091313.GA1989@localhost>
Date:	Thu, 18 Sep 2014 11:13:13 +0200
From:	Johan Hovold <johan@...nel.org>
To:	Octavian Purdila <octavian.purdila@...el.com>
Cc:	Johan Hovold <johan@...nel.org>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	Linus Walleij <linus.walleij@...aro.org>,
	Alexandre Courbot <gnurou@...il.com>, wsa@...-dreams.de,
	Samuel Ortiz <sameo@...ux.intel.com>,
	Lee Jones <lee.jones@...aro.org>,
	Arnd Bergmann <arnd@...db.de>,
	Daniel Baluta <daniel.baluta@...el.com>,
	Laurentiu Palcu <laurentiu.palcu@...el.com>,
	linux-usb@...r.kernel.org, lkml <linux-kernel@...r.kernel.org>,
	linux-gpio@...r.kernel.org, linux-i2c@...r.kernel.org
Subject: Re: [PATCH v4 2/3] i2c: add support for Diolan DLN-2 USB-I2C adapter

On Thu, Sep 18, 2014 at 11:49:19AM +0300, Octavian Purdila wrote:
> On Thu, Sep 18, 2014 at 11:19 AM, Johan Hovold <johan@...nel.org> wrote:
> > On Wed, Sep 17, 2014 at 01:07:51PM +0300, Octavian Purdila wrote:
> >> On Wed, Sep 17, 2014 at 12:44 PM, Johan Hovold <johan@...nel.org> wrote:
> >>
> >> <snip>
> >>
> >> >> +     /*
> >> >> +      * Buffer to hold the packet for read or write transfers. One
> >> >> +      * is enough since we can't have multiple transfers in
> >> >> +      * parallel on the i2c adapter.
> >> >> +      */
> >> >> +     union {
> >> >> +             struct {
> >> >> +                     u8 port;
> >> >> +                     u8 addr;
> >> >> +                     u8 mem_addr_len;
> >> >> +                     __le32 mem_addr;
> >> >> +                     __le16 buf_len;
> >> >> +                     u8 buf[DLN2_I2C_MAX_XFER_SIZE];
> >> >> +             } __packed tx;
> >> >> +             struct {
> >> >> +                     __le16 buf_len;
> >> >> +                     u8 buf[DLN2_I2C_MAX_XFER_SIZE];
> >> >> +             } __packed rx;
> >> >> +     } buf;
> >> >
> >> > While this works in this case due to the extra copy you do in
> >> > dln2_transfer, allocating buffers that would (generally) be used for DMA
> >> > transfers as part of a larger structure is a recipe for trouble.
> >> >
> >> > It's probably better to allocate separately, if only to prevent people
> >> > from thinking there might be a bug here.
> >> >
> >>
> >> Just to make sure I understand this, what could the issues be? The
> >> buffers not being aligned or not allocated in continuous physical
> >> memory?
> >
> > Yes, the buffer (and any subsequent field) would have to be cache-line
> > aligned to avoid corruption due to cache-line sharing on some systems.
> >
> 
> Ah, ok, makes sense now. But is it safe to use kmalloc() in this case?
> Does kmalloc() prevent cache line sharing?

Yes, it does (as long as you allocate the buffer separately from the
containing struct).

> >> <snip>
> >>
> >> >> +
> >> >> +     rx_buf_len = le16_to_cpu(dln2->buf.rx.buf_len);
> >> >> +     if (rx_len < rx_buf_len + sizeof(dln2->buf.rx.buf_len))
> >> >> +             return -EPROTO;
> >> >> +
> >> >> +     if (data_len > rx_buf_len)
> >> >> +             data_len = rx_buf_len;
> >> >
> >> > You're still not checking that the received data does not overflow the
> >> > supplied buffer as I already commented on v3.
> >> >
> >> >> +
> >> >> +     memcpy(data, dln2->buf.rx.buf, data_len);
> >> >> +
> >> >> +     return data_len;
> >> >> +}
> >>
> >> Hmm, perhaps I am missing something, but we never transfer more then
> >> data_len, where data_len is the size of the buffer supplied by the
> >> user.
> >
> > That is the amount of data you request from the device, but you never
> > check how much is actually returned.
> >
> 
> Actually we check the receive buffer size here:
> 
>     if (data_len > rx_buf_len)
>         data_len = rx_buf_len;
> 
> rx_buf_len is the i2c received payload size while rx_len is the length
> of received message

Bah, you're right. You never explicitly check for overflow, but also
never use more than data_len bytes of the returned buffer.

I think you should add explicit checks, and return an error in this case
rather than silently truncate the data.

> > You really should clean up the error handling of this function as it is
> > currently not very readable.
> >
> 
> Perhaps adding some comments similar to the the explanation above would help?

It's more the logic of this function I find a bit twisted. I think you
should clean it up and consider adding appropriately named (temporary)
variables to make it more readable.

Johan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ