lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Thu, 13 Nov 2014 13:01:27 +0200
From:	Octavian Purdila <octavian.purdila@...el.com>
To:	Dan Carpenter <dan.carpenter@...cle.com>
Cc:	Samuel Ortiz <sameo@...ux.intel.com>,
	Lee Jones <lee.jones@...aro.org>,
	lkml <linux-kernel@...r.kernel.org>,
	kernel-janitors@...r.kernel.org
Subject: Re: [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo"

On Thu, Nov 13, 2014 at 12:35 PM, Dan Carpenter
<dan.carpenter@...cle.com> wrote:
> We check the other variables and traditionally we don't trust data from
> USB devices so adding a check here is normal.  This silences a static
> checker warning.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> ---
> I am unsure if this fix is correct and I don't have the hardware.
> Please review this one carefully.  The "goto out;" seems to use the
> invalid data and I don't understand why.
>
> diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
> index 9765a17..3101e5e 100644
> --- a/drivers/mfd/dln2.c
> +++ b/drivers/mfd/dln2.c
> @@ -280,6 +280,11 @@ static void dln2_rx(struct urb *urb)
>                 goto out;
>         }
>
> +       if (echo >= DLN2_MAX_RX_SLOTS) {
> +               dev_warn(dev, "invalid echo %d\n", echo);
> +               goto out;
> +       }
> +
>         data = urb->transfer_buffer + sizeof(struct dln2_header);
>         len = urb->actual_length - sizeof(struct dln2_header);
>

Hi Dan,

Thanks for the patch. You are right that we need to check echo, but
only in the case that it is not an event. In that case the echo
counter increments for every event and can easily be greater the
DLN2_MAX_RX_SLOTS. So the correct patch is to check in
dln2_transfer_complete() that rx_slot is valid. I will follow-up with
a patch for that shortly.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ