lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 1 Mar 2016 17:47:49 +0530
From:	Purna Chandra Mandal <purna.mandal@...rochip.com>
To:	Mark Brown <broonie@...nel.org>
CC:	Joshua Henderson <joshua.henderson@...rochip.com>,
	<linux-kernel@...r.kernel.org>, <linux-spi@...r.kernel.org>
Subject: Re: [PATCH] spi: Fix incomplete handling of
 SPI_MASTER_MUST_RX/_MUST_TX

Mark,

On 02/08/2016 09:45 PM, Mark Brown wrote:

> On Fri, Feb 05, 2016 at 10:30:24AM +0530, Purna Chandra Mandal wrote:
>
> Please fix your mail client to word wrap within paragraphs at something
> substantially less than 80 columns.  Doing this makes your messages much
> easier to read and reply to.
>
>> Idea is good, but not sufficient.
>> Dummy buffers are _reallocated_ to accommodate larger size of transfer. In this if
>> [originally NULL] .rx_buf/.tx_buf is not reset back to NULL after the transfer
>> is over spi-core will find those .rx/tx_buf non-NULL in next _transfer() call and
>> will pass the stale rx/tx_buf to spi controller driver which will definitely
>> corrupt the memory and crash the system.
> This needs to be clear to readers; a fairly obvious way of dealing with
> this would be to rellocate down to a page rather than freeing.

Yea. But current krealloc() implementation allocates new memory if new size
is more than the allocated space, (and frees the old). If we allocate
PAGE_SIZE of dummy buffer (at first call irrespective of required size),
re-use it and don't allow transfer size to grow more than PAGE_SIZE we
will be fine provided all SPI clients agree to the size restriction.
The moment we'll try to re-allocate new buffer we will reach the same
point we wanted to avoid here.

>> Above all the whole design depends on trust that core will not play with any data-structure
>> which will break object-oriented/layered approach. So better to undo the modification
>> (when needed to facilitate some functionality) unless core wants those information to be passed
>> back to caller/client for reporting success or error or else.
> That's really not the case, we already make a range of other
> modifications to complete partially filled transfers in order to
> simplify driver code.

Purna

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ