lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20161124175126.GA3088@basecamp.onstation.org>
Date:   Thu, 24 Nov 2016 12:51:26 -0500
From:   Brian Masney <masneyb@...tation.org>
To:     walter harms <wharms@....de>
Cc:     Dan Carpenter <dan.carpenter@...cle.com>,
        Jonathan Cameron <jic23@...nel.org>,
        Hartmut Knaack <knaack.h@....de>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Peter Meerwald-Stadler <pmeerw@...erw.net>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Eva Rachel Retuya <eraretuya@...il.com>,
        linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [patch] iio: tsl2583: make array large enough

On Thu, Nov 24, 2016 at 05:54:17PM +0100, walter harms wrote:
> 
> 
> Am 24.11.2016 16:48, schrieb Brian Masney:
> > On Thu, Nov 24, 2016 at 04:38:07PM +0300, Dan Carpenter wrote:
> >> This array is supposed to have 10 elements.  Smatch complains that with
> >> the current code we can have n == max_ints and read beyond the end of
> >> the array.
> >>
> >> Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
> >> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
> >>
> >> diff --git a/drivers/iio/light/tsl2583.c b/drivers/iio/light/tsl2583.c
> >> index 0b87f6a..a78b602 100644
> >> --- a/drivers/iio/light/tsl2583.c
> >> +++ b/drivers/iio/light/tsl2583.c
> >> @@ -565,7 +565,7 @@ static ssize_t in_illuminance_lux_table_store(struct device *dev,
> >>  	struct iio_dev *indio_dev = dev_to_iio_dev(dev);
> >>  	struct tsl2583_chip *chip = iio_priv(indio_dev);
> >>  	const unsigned int max_ints = TSL2583_MAX_LUX_TABLE_ENTRIES * 3;
> >> -	int value[TSL2583_MAX_LUX_TABLE_ENTRIES * 3];
> >> +	int value[TSL2583_MAX_LUX_TABLE_ENTRIES * 3 + 1];
> >>  	int ret = -EINVAL;
> >>  	unsigned int n;
> >>  
> > 
> 
> sorry i did not notice that bevor ..
> there is a
>   max_ints = TSL2583_MAX_LUX_TABLE_ENTRIES * 3
> 
> IMHO this should read either:
>    int value[max_ints+1];

I originally went this route when I refactored the function, however
running make C=1 yields the following warnings:

drivers/iio/light/tsl2583.c:568:19: warning: Variable length array is
used.
drivers/iio/light/tsl2583.c:574:26: error: cannot size expression

That is why I went with the current implementation.

> or
>   max_ints=ARRAY_SIZE(value)-1;
> 
> (my personal favorite is dropping max_ints completely).

The max_ints value is also shown in the error message if the user passes
in too many or too few entries in the per device lux table. I wanted the
user to see the maximum allowable number without having to dig through
the kernel source code. Without it, I would have had to duplicate the
TSL2583_MAX_LUX_TABLE_ENTRIES * 3 statement a third time.

Brian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ