lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <56D774B6.6070108@mleia.com>
Date:	Thu, 3 Mar 2016 01:18:14 +0200
From:	Vladimir Zapolskiy <vz@...ia.com>
To:	Andrew Lunn <andrew@...n.ch>
Cc:	GregKH <greg@...ah.com>, srinivas.kandagatla@...aro.org,
	maxime.ripard@...e-electrons.com, wsa@...-dreams.de,
	broonie@...nel.org, linux-kernel@...r.kernel.org,
	pantelis.antoniou@...sulko.com, bgolaszewski@...libre.com
Subject: Re: [PATCHv7 6/7] eeprom: 93xx46: extend driver to plug into the
 NVMEM framework

On 03.03.2016 00:26, Andrew Lunn wrote:
>>>  static ssize_t
>>> -eeprom_93xx46_bin_read(struct file *filp, struct kobject *kobj,
>>> -		       struct bin_attribute *bin_attr,
>>> -		       char *buf, loff_t off, size_t count)
>>> +eeprom_93xx46_read(struct eeprom_93xx46_dev *edev, char *buf,
>>> +		   unsigned off, size_t count)
>>>  {
>>> -	struct eeprom_93xx46_dev *edev;
>>> -	struct device *dev;
>>>  	ssize_t ret = 0;
>>>  
>>> -	dev = kobj_to_dev(kobj);
>>> -	edev = dev_get_drvdata(dev);
>>> +	if (unlikely(off >= edev->size))
>>> +		return 0;
>>> +	if ((off + count) > edev->size)
>>> +		count = edev->size - off;
>>> +	if (unlikely(!count))
>>> +		return count;
>>>  
>>
>> I'm scratching my head, do you want to kind of revert
>> the change https://lkml.org/lkml/2015/7/26/89 ? Why?
> 
> Hi Vladimir
> 
> I had not noticed you had removed this.
>  
>> If you know regmap_config.max_register, then all necessary
>> boundary checks can be done inside NVMEM core.
> 
> You don't have to use NVMEM, you could use the regmap directly. 

No problem, regmap API from drivers/base/regmap/regmap.c contains
all necessary boundary checks as far as I understand.

> It is a public API. Also, during implementation, i did manage to get out of
> bounds read passed into the drivers and they caused a crash. That
> might of been AT24, i don't remember, but verifying is better than
> possible crashing.
> 

IMHO to avoid boilerplate code and/or missed/redundant checks it
might be better to handle this particular kind of problem only
in one common place, for example sysfs binary attribute files do
not need this anymore, probably I should scrutinize the situation
with this transition to NVMEM as well.

If you remember a reproduction scenario for that crash, please let
me know.

At least this changeset must be applied I guess, am I right?
In other words is the code without this changeset safe in connection
to boundary checks, and this is a new discovered issue?

--
With best wishes,
Vladimir

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ