| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 8 Sep 2016 14:24:25 +0100
From: Emil Velikov <emil.l.velikov@...il.com>
To: Tomeu Vizoso <tomeu.vizoso@...labora.com>
Cc: "Linux-Kernel@...r. Kernel. Org" <linux-kernel@...r.kernel.org>,
linux-doc@...r.kernel.org, Jonathan Corbet <corbet@....net>,
ML dri-devel <dri-devel@...ts.freedesktop.org>,
Daniel Vetter <daniel.vetter@...el.com>,
Emil Velikov <emil.velikov@...labora.com>
Subject: Re: [PATCH v6 2/4] drm: Add API for capturing frame CRCs
Hi Tomeu,
A couple of small nitpicks and a rather nasty looking bug, related to
your earlier question.
On 7 September 2016 at 11:27, Tomeu Vizoso <tomeu.vizoso@...labora.com> wrote:
> +static ssize_t crc_control_write(struct file *file, const char __user *ubuf,
> + size_t len, loff_t *offp)
> +{
> + if (source[len] == '\n')
> + source[len] = '\0';
> +
Considering the bug below, I'm considering if there's a case were we
don't want to explicitly set the terminating byte ?
> +/*
> + * 1 frame field of 10 chars plus a number of CRC fields of 10 chars each, space
> + * separated, with a newline at the end and null-terminated.
> + */
NULL-terminated what the things that was missing, explaining the
maths. Yet note the code sort of contradicts it.
TL;DR: above we conditionally NULL terminate the data, yet (below) we
feed garbage (always) instead of \0 byte.
> +#define LINE_LEN(values_cnt) (10 + 11 * values_cnt + 1 + 1)
> +#define MAX_LINE_LEN (LINE_LEN(DRM_MAX_CRC_NR))
> +
> +static ssize_t crtc_crc_read(struct file *filep, char __user *user_buf,
> + size_t count, loff_t *pos)
> +{
> + struct drm_crtc *crtc = filep->f_inode->i_private;
> + struct drm_crtc_crc *crc = &crtc->crc;
> + struct drm_crtc_crc_entry *entry;
> + char buf[MAX_LINE_LEN];
Here buf is filled with garbage...
> + if (entry->has_frame_counter)
> + sprintf(buf, "0x%08x", entry->frame);
> + else
> + sprintf(buf, "XXXXXXXXXX");
> +
> + for (i = 0; i < crc->values_cnt; i++)
> + sprintf(buf + 10 + i * 11, " 0x%08x", entry->crcs[i]);
> + sprintf(buf + 10 + crc->values_cnt * 11, "\n");
> +
... and now all the data is in, incl. the \n byte.
> + if (copy_to_user(user_buf, buf, LINE_LEN(crc->values_cnt)))
And here we copy the whole thing incl. the 'should be \0 but is
actually garbage' byte.
This doesn't look good :-\
> --- a/drivers/gpu/drm/drm_drv.c
> +++ b/drivers/gpu/drm/drm_drv.c
> @@ -221,6 +222,14 @@ static int drm_minor_register(struct drm_device *dev, unsigned int type)
> return ret;
> }
>
> + if (type == DRM_MINOR_PRIMARY) {
> + drm_for_each_crtc(crtc, dev) {
> + ret = drm_debugfs_crtc_add(crtc);
> + if (ret)
> + DRM_ERROR("DRM: Failed to initialize CRC debugfs.\n");
> + }
> + }
> +
Minor: We're missing teardown in the error path.
> --- /dev/null
> +++ b/include/drm/drm_debugfs_crc.h
> +static inline int drm_debugfs_crtc_crc_add(struct drm_crtc *crtc)
Minor: The function is internal only and used only when
defined(CONFIG_DEBUG_FS). Thus it should stay in
drivers/gpu/drm/foo.h.
Rule of thumb: include/drm defines the API used by the drivers, while
drivers/gpu/drm/foo_internal.h the internal API between the core DRM
modules.
Regards,
Emil
Powered by blists - more mailing lists