lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20160726180002.2398-18-m.othacehe@gmail.com>
Date:	Tue, 26 Jul 2016 19:59:57 +0200
From:	Mathieu OTHACEHE <m.othacehe@...il.com>
To:	johan@...nel.org, gregkh@...uxfoundation.org
Cc:	linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org,
	Mathieu OTHACEHE <m.othacehe@...il.com>
Subject: [PATCH v2 17/22] usb: serial: ti_usb_3410_5052: Fix firmware downloading

The buffer used to store firmware is allocated to maximum firmware
size (TI_FIRMWARE_BUF_SIZE) + header size.
This buffer is filled with requested firmware (fw_p->size) and padded
with 0xff bytes. The header is written over the 3 first bytes of the
buffer (overwritting the 3 first bytes of the requested firmware)

Then, ti_do_download function is called to send only the first
fw_p->size bytes from the buffer to the device.
The rest of the buffer is never used.

So it is sufficient to allocate a buffer of fw_p->size bytes to store
only the requested firmware. There is no need to do any padding.

This patch also move firmware buffer manipulation to ti_do_download
function.

Signed-off-by: Mathieu OTHACEHE <m.othacehe@...il.com>
---
 drivers/usb/serial/ti_usb_3410_5052.c | 61 +++++++++++++++++++----------------
 1 file changed, 33 insertions(+), 28 deletions(-)

diff --git a/drivers/usb/serial/ti_usb_3410_5052.c b/drivers/usb/serial/ti_usb_3410_5052.c
index 472971b..b46a511 100644
--- a/drivers/usb/serial/ti_usb_3410_5052.c
+++ b/drivers/usb/serial/ti_usb_3410_5052.c
@@ -1639,46 +1639,65 @@ static int ti_write_byte(struct usb_serial_port *port, u32 addr,
 	return status;
 }
 
-static int ti_do_download(struct usb_device *dev, int pipe,
-			  u8 *buffer, int size)
+static int ti_do_download(struct usb_serial *serial,
+			  const struct firmware *fw_p)
 {
 	int pos;
 	u8 cs = 0;
 	int done;
+	struct usb_device *dev = serial->dev;
 	struct ti_firmware_header *header;
 	int status = 0;
+	u8 *buffer;
+	int buffer_size;
 	int len;
+	unsigned int pipe;
+
+	pipe = usb_sndbulkpipe(dev, serial->port[0]->bulk_out_endpointAddress);
+
+	buffer_size = fw_p->size;
+	buffer = kmalloc(buffer_size, GFP_KERNEL);
+	if (!buffer)
+		return -ENOMEM;
 
-	for (pos = sizeof(struct ti_firmware_header); pos < size; pos++)
+	memcpy(buffer, fw_p->data, fw_p->size);
+
+	for (pos = sizeof(*header); pos < buffer_size; pos++)
 		cs = (u8)(cs + buffer[pos]);
 
 	header = (struct ti_firmware_header *)buffer;
-	header->wLength = cpu_to_le16(size - sizeof(*header));
+	header->wLength = cpu_to_le16(buffer_size - sizeof(*header));
 	header->bCheckSum = cs;
 
 	dev_dbg(&dev->dev, "%s - downloading firmware\n", __func__);
-	for (pos = 0; pos < size; pos += done) {
-		len = min(size - pos, TI_DOWNLOAD_MAX_PACKET_SIZE);
+	for (pos = 0; pos < buffer_size; pos += done) {
+		len = min(buffer_size - pos, TI_DOWNLOAD_MAX_PACKET_SIZE);
 		status = usb_bulk_msg(dev, pipe, buffer + pos, len, &done,
 				      TI_DOWNLOAD_TIMEOUT);
 		if (status)
 			break;
 	}
-	return status;
+
+	kfree(buffer);
+
+	if (status) {
+		dev_err(&dev->dev, "failed to download firmware: %d\n", status);
+		return status;
+	}
+
+	dev_dbg(&dev->dev, "%s - download successful\n", __func__);
+
+	return 0;
 }
 
 static int ti_download_firmware(struct usb_serial *serial)
 {
 	int status;
-	int buffer_size;
-	u8 *buffer;
 	struct usb_device *dev = serial->dev;
 	struct ti_device *tdev = usb_get_serial_data(serial);
-	unsigned int pipe;
 	const struct firmware *fw_p;
 	char buf[32];
 
-	pipe = usb_sndbulkpipe(dev, serial->port[0]->bulk_out_endpointAddress);
 
 	if (le16_to_cpu(dev->descriptor.idVendor) == MXU1_VENDOR_ID) {
 		snprintf(buf,
@@ -1733,30 +1752,16 @@ check_firmware:
 		dev_err(&dev->dev, "%s - firmware not found\n", __func__);
 		return -ENOENT;
 	}
+
 	if (fw_p->size > TI_FIRMWARE_BUF_SIZE) {
 		dev_err(&dev->dev, "%s - firmware too large %zu\n", __func__, fw_p->size);
 		release_firmware(fw_p);
 		return -ENOENT;
 	}
 
-	buffer_size = TI_FIRMWARE_BUF_SIZE + sizeof(struct ti_firmware_header);
-	buffer = kmalloc(buffer_size, GFP_KERNEL);
-	if (buffer) {
-		memcpy(buffer, fw_p->data, fw_p->size);
-		memset(buffer + fw_p->size, 0xff, buffer_size - fw_p->size);
-		status = ti_do_download(dev, pipe, buffer, fw_p->size);
-		kfree(buffer);
-	} else {
-		status = -ENOMEM;
-	}
-	release_firmware(fw_p);
-	if (status) {
-		dev_err(&dev->dev, "%s - error downloading firmware, %d\n",
-							__func__, status);
-		return status;
-	}
+	ti_do_download(serial, fw_p);
 
-	dev_dbg(&dev->dev, "%s - download successful\n", __func__);
+	release_firmware(fw_p);
 
 	return 0;
 }
-- 
2.9.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ