| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 4 Jun 2016 11:19:07 -0400
From: Jon Mason <jdmason@...zu.us>
To: Allen Hubbe <allenbh@...il.com>
Cc: Logan Gunthorpe <logang@...tatee.com>,
Dave Jiang <dave.jiang@...el.com>, linux-ntb@...glegroups.com,
linux-kernel <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] ntb_tool: Fix infinite loop bug when writing
spad/peer_spad file
On Sat, May 28, 2016 at 9:09 AM, Allen Hubbe <allenbh@...il.com> wrote:
> On Fri, May 27, 2016 at 4:38 PM, Logan Gunthorpe <logang@...tatee.com> wrote:
>> If you tried to write two spads in one line, as per the example:
>>
>> root@...r# echo '0 0x01010101 1 0x7f7f7f7f' > $DBG_DIR/peer_spad
>>
>> then the CPU would freeze in an infinite loop.
>>
>> This wasn't immediately obvious but 'pos' was not incrementing the
>> buffer, so after reading the second pair of values, 'pos' would once
>> again be 3 and it would re-read the second pair of values ad infinitum.
>>
>> Signed-off-by: Logan Gunthorpe <logang@...tatee.com>
>
> Good catch. Thanks Logan.
>
> Acked-by: Allen Hubbe <Allen.Hubbe@....com>
Applied to the ntb branch
Thanks,
Jon
>> ---
>> drivers/ntb/test/ntb_tool.c | 9 +++++----
>> 1 file changed, 5 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
>> index 6f5dc6c..209ef7c 100644
>> --- a/drivers/ntb/test/ntb_tool.c
>> +++ b/drivers/ntb/test/ntb_tool.c
>> @@ -268,7 +268,7 @@ static ssize_t tool_spadfn_write(struct tool_ctx *tc,
>> {
>> int spad_idx;
>> u32 spad_val;
>> - char *buf;
>> + char *buf, *buf_ptr;
>> int pos, n;
>> ssize_t rc;
>>
>> @@ -288,14 +288,15 @@ static ssize_t tool_spadfn_write(struct tool_ctx *tc,
>> }
>>
>> buf[size] = 0;
>> -
>> - n = sscanf(buf, "%d %i%n", &spad_idx, &spad_val, &pos);
>> + buf_ptr = buf;
>> + n = sscanf(buf_ptr, "%d %i%n", &spad_idx, &spad_val, &pos);
>> while (n == 2) {
>> + buf_ptr += pos;
>> rc = spad_write_fn(tc->ntb, spad_idx, spad_val);
>> if (rc)
>> break;
>>
>> - n = sscanf(buf + pos, "%d %i%n", &spad_idx, &spad_val, &pos);
>> + n = sscanf(buf_ptr, "%d %i%n", &spad_idx, &spad_val, &pos);
>> }
>>
>> if (n < 0)
>> --
>> 2.1.4
Powered by blists - more mailing lists