lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160113185239.GC39593@dtor-ws>
Date:	Wed, 13 Jan 2016 10:52:39 -0800
From:	Dmitry Torokhov <dmitry.torokhov@...il.com>
To:	Aniroop Mathur <a.mathur@...sung.com>
Cc:	linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
	aniroop.mathur@...il.com, s.samuel@...sung.com,
	r.mahale@...sung.com
Subject: Re: [PATCH] [v5]Input: evdev: fix bug of dropping full valid packet
 after syn_dropped

On Wed, Jan 13, 2016 at 05:27:41PM +0530, Aniroop Mathur wrote:
> If last event in old queue that was dropped was EV_SYN/SYN_REPORT, then
> lets generate EV_SYN/SYN_REPORT immediately after queing EV_SYN/SYN_DROPPED
> so that clients would not ignore next valid full packet events.
> 
> Signed-off-by: Aniroop Mathur <a.mathur@...sung.com>
> ---
>  drivers/input/evdev.c |   45 +++++++++++++++++++++++++++++++++------------
>  1 file changed, 33 insertions(+), 12 deletions(-)
> 
> diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c
> index e9ae3d5..0bc7b98 100644
> --- a/drivers/input/evdev.c
> +++ b/drivers/input/evdev.c
> @@ -156,7 +156,12 @@ static void __evdev_flush_queue(struct evdev_client *client, unsigned int type)
>  static void __evdev_queue_syn_dropped(struct evdev_client *client)
>  {
>  	struct input_event ev;
> +	struct input_event *prev_ev;
>  	ktime_t time;
> +	unsigned int mask = client->bufsize - 1;
> +
> +	/* store previous event */
> +	prev_ev = &client->buffer[(client->head - 1) & mask];

How do you know that previous event is valid/exists? In fact, when we
are dropping events due to the full queue, you will be referencing the
newest event being processed, not the previous event.

I also wonder if this code is safe with regard to __evdev_flush_queue()
that is dropping bunch of events and possible empty SYN_REPORT groups.

Thanks.

-- 
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ