lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 15 Jan 2016 13:22:15 -0500 From: Ashwin Chaugule <ashwin.chaugule@...aro.org> To: Alexey Klimov <alexey.klimov@....com>, Jaswinder Singh <jaswinder.singh@...aro.org> Cc: Jassi Brar <jassisinghbrar@...il.com>, Sudeep Holla <sudeep.holla@....com>, lkml <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] mailbox: pcc: fix channel calculation in get_pcc_channel() + Jassi (Linaro addr) On 15 January 2016 at 13:20, Ashwin Chaugule <ashwin.chaugule@...aro.org> wrote: > Jassi, > > On 10 December 2015 at 13:19, Ashwin Chaugule > <ashwin.chaugule@...aro.org> wrote: >> On 10 December 2015 at 12:28, Alexey Klimov <alexey.klimov@....com> wrote: >>> This patch fixes the calculation of pcc_chan for non-zero id. >>> After the compiler ignores the (unsigned long) cast the >>> pcc_mbox_channels pointer is type-cast and then the type-cast >>> offset is added which results in address outside of the range >>> leading to the kernel crashing. >>> >>> We might add braces and make it: >>> >>> pcc_chan = (struct mbox_chan *) >>> ((unsigned long) pcc_mbox_channels + >>> (id * sizeof(*pcc_chan))); >>> >>> but let's go with array approach here and use id as index. >>> >>> Tested on Juno board. >>> >>> Acked-by: Sudeep Holla <sudeep.holla@....com> >>> Signed-off-by: Alexey Klimov <alexey.klimov@....com> >>> --- >>> drivers/mailbox/pcc.c | 8 +------- >>> 1 file changed, 1 insertion(+), 7 deletions(-) >>> >>> diff --git a/drivers/mailbox/pcc.c b/drivers/mailbox/pcc.c >>> index 45d85ae..8f779a1 100644 >>> --- a/drivers/mailbox/pcc.c >>> +++ b/drivers/mailbox/pcc.c >>> @@ -81,16 +81,10 @@ static struct mbox_controller pcc_mbox_ctrl = {}; >>> */ >>> static struct mbox_chan *get_pcc_channel(int id) >>> { >>> - struct mbox_chan *pcc_chan; >>> - >>> if (id < 0 || id > pcc_mbox_ctrl.num_chans) >>> return ERR_PTR(-ENOENT); >>> >>> - pcc_chan = (struct mbox_chan *) >>> - (unsigned long) pcc_mbox_channels + >>> - (id * sizeof(*pcc_chan)); >>> - >>> - return pcc_chan; >>> + return &pcc_mbox_channels[id]; >>> } >>> >> >> >> Strange that we didn't catch this even with a non-zero id. But the >> change makes sense so.. >> >> Acked-by: Ashwin Chaugule <ashwin.chaugule@...aro.org> > > Can you please include this patch in your pull request to Linus? > > Thanks, > Ashwin.
Powered by blists - more mailing lists