lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160406173848.GC38452@dtor-ws>
Date:	Wed, 6 Apr 2016 10:38:48 -0700
From:	Dmitry Torokhov <dmitry.torokhov@...il.com>
To:	Aniroop Mathur <aniroop.mathur@...il.com>
Cc:	Henrik Rydberg <rydberg@...math.org>,
	Aniroop Mathur <a.mathur@...sung.com>,
	"linux-input@...r.kernel.org" <linux-input@...r.kernel.org>,
	lkml <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] Input: Do not add SYN_REPORT in between a single packet
 data

On Wed, Apr 06, 2016 at 08:26:39PM +0530, Aniroop Mathur wrote:
> On Sat, Apr 2, 2016 at 10:31 PM, Aniroop Mathur
> <aniroop.mathur@...il.com> wrote:
> > Hello Mr. Torokhov,
> >
> > First of all, Thank you for your reply.
> >
> > On Sat, Apr 2, 2016 at 3:21 AM, Dmitry Torokhov
> > <dmitry.torokhov@...il.com> wrote:
> >> On Fri, Mar 11, 2016 at 12:26:57AM +0530, Aniroop Mathur wrote:
> >>> Hi Henrik,
> >>>
> >>> On Thu, Mar 10, 2016 at 7:15 PM, Henrik Rydberg <rydberg@...math.org> wrote:
> >>> > Hi Dmitry,
> >>> >
> >>> >>> diff --git a/drivers/input/input.c b/drivers/input/input.c
> >>> >>> index 8806059..262ef77 100644
> >>> >>> --- a/drivers/input/input.c
> >>> >>> +++ b/drivers/input/input.c
> >>> >>> @@ -401,8 +401,7 @@ static void input_handle_event(struct input_dev *dev,
> >>> >>>                 if (dev->num_vals >= 2)
> >>> >>>                         input_pass_values(dev, dev->vals, dev->num_vals);
> >>> >>>                 dev->num_vals = 0;
> >>> >>> -       } else if (dev->num_vals >= dev->max_vals - 2) {
> >>> >>> -               dev->vals[dev->num_vals++] = input_value_sync;
> >>> >>> +       } else if (dev->num_vals >= dev->max_vals - 1) {
> >>> >>>                 input_pass_values(dev, dev->vals, dev->num_vals);
> >>> >>>                 dev->num_vals = 0;
> >>> >>>         }
> >>> >>
> >>> >> This makes sense to me. Henrik?
> >>> >
> >>> > I went through the commits that made these changes, and I cannot see any strong
> >>> > reason to keep it. However, this code path only triggers if no SYN events are
> >>> > seen, as in a driver that fails to emit them and consequently fills up the
> >>> > buffer. In other words, this change would only affect a device that is already,
> >>> > to some degree, broken.
> >>> >
> >>> > So, the question to Aniroop is: do you see this problem in practise, and in that
> >>> > case, for what driver?
> >>> >
> >>>
> >>> Nope. So far I have not dealt with any such driver.
> >>> I made this change because it is breaking protocol of SYN_REPORT event code.
> >>>
> >>> Further from the code, I could deduce that max_vals is just an estimation of
> >>> packet_size and it does not guarantee that packet_size is same as max_vals.
> >>> So real packet_size can be more than max_vals value and hence we could not
> >>> insert SYN_REPORT until packet ends really.
> >>> Further, if we consider that there exists a driver or will exist in future
> >>> which sets capability of x event code according to which max_value comes out to
> >>> y and the real packet size is z i.e. driver wants to send same event codes
> >>> again in the same packet, so input event reader would be expecting SYN_REPORT
> >>> after z events but due to current code SYN_REPORT will get inserted
> >>> automatically after y events, which is a wrong behaviour.
> >>
> >> Well, I think I agree with Aniroop that even if driver is to a degree
> >> broken we should not be inserting random SYN_REPORT events into the
> >> stream. I wonder if we should not add WARN_ONCE() there to highlight
> >> potential problems with the way we estimate the number of events.
> >>
> >> However I think there is an issue with the patch. If we happen to pass
> >> values just before the final SYN_REPORT sent by the driver then we reset
> >> dev->num_vals to 0 and will essentially suppress the final SYN_REPORT
> >> event, which is not good either.
> >>
> >
> > Yes, right!
> >
> > I think it can be fixed by sending the rest of events but not the last event
> > in case number of events becomes greater than max_vals. The last event will be
> > saved to be sent in next set of events. This way immediate SYN_REPORT will not
> > be suppressed and duplicate SYN_REPORT event will not be sent as well.
> >
> > Change:
> > @@ -401,8 +401,7 @@ static void input_handle_event(struct input_dev *dev,
> >                 if (dev->num_vals >= 2)
> >                         input_pass_values(dev, dev->vals, dev->num_vals);
> >                 dev->num_vals = 0;
> > -       } else if (dev->num_vals >= dev->max_vals - 2) {
> > -               dev->vals[dev->num_vals++] = input_value_sync;
> > -               input_pass_values(dev, dev->vals, dev->num_vals);
> > -               dev->num_vals = 0;
> > +       } else if (dev->num_vals == dev->max_vals) {
> > +                input_pass_values(dev, dev->vals, dev->num_vals - 1);
> > +                dev->num_vals = 0;
> > +                dev->vals[dev->num_vals++] = dev->vals[dev->max_vals - 1];
> >         }
> >
> > So, does the above patch looks good now?
> >

No, consider what will happen if you need to switch slot when your queue
is at dev->max_vals - 1. With your patch you will end up with out of
bounds write.

> 
> 
> Hello Mr. Torokhov,
> 
> Could you please update about this?
> It would be appreciating if you could help out to conclude it quickly.  Thanks!

I am not sure what the urgency is. It is more of a theoretical problem
ans so far the proposed solutions were actually introducing more
problems than they were solving.

I am sorry, bit this particular topic is not a priority for me.

> 
> 
> > And may be about WARN_ONCE, do you mean to add something like below in above
> > code?
> > WARN_ONCE(1, "Packet did not complete yet but generally expected to be
> > completed before generation of %d events.\n", dev->max_vals);
> >
> >
> > Thanks,
> > Aniroop Mathur
> >
> >> Thanks.
> >>
> >> --
> >> Dmitry

Thanks.

-- 
Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ