lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5837FC09.7010902@bfs.de>
Date:   Fri, 25 Nov 2016 09:53:29 +0100
From:   walter harms <wharms@....de>
To:     Brian Masney <masneyb@...tation.org>
CC:     Dan Carpenter <dan.carpenter@...cle.com>,
        Jonathan Cameron <jic23@...nel.org>,
        Hartmut Knaack <knaack.h@....de>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Peter Meerwald-Stadler <pmeerw@...erw.net>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Eva Rachel Retuya <eraretuya@...il.com>,
        linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel-janitors@...r.kernel.org
Subject: Re: [patch] iio: tsl2583: make array large enough



Am 24.11.2016 18:51, schrieb Brian Masney:
> On Thu, Nov 24, 2016 at 05:54:17PM +0100, walter harms wrote:
>>
>>
>> Am 24.11.2016 16:48, schrieb Brian Masney:
>>> On Thu, Nov 24, 2016 at 04:38:07PM +0300, Dan Carpenter wrote:
>>>> This array is supposed to have 10 elements.  Smatch complains that with
>>>> the current code we can have n == max_ints and read beyond the end of
>>>> the array.
>>>>
>>>> Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
>>>> Signed-off-by: Dan Carpenter <dan.carpenter@...cle.com>
>>>>
>>>> diff --git a/drivers/iio/light/tsl2583.c b/drivers/iio/light/tsl2583.c
>>>> index 0b87f6a..a78b602 100644
>>>> --- a/drivers/iio/light/tsl2583.c
>>>> +++ b/drivers/iio/light/tsl2583.c
>>>> @@ -565,7 +565,7 @@ static ssize_t in_illuminance_lux_table_store(struct device *dev,
>>>>  	struct iio_dev *indio_dev = dev_to_iio_dev(dev);
>>>>  	struct tsl2583_chip *chip = iio_priv(indio_dev);
>>>>  	const unsigned int max_ints = TSL2583_MAX_LUX_TABLE_ENTRIES * 3;
>>>> -	int value[TSL2583_MAX_LUX_TABLE_ENTRIES * 3];
>>>> +	int value[TSL2583_MAX_LUX_TABLE_ENTRIES * 3 + 1];
>>>>  	int ret = -EINVAL;
>>>>  	unsigned int n;
>>>>  
>>>
>>
>> sorry i did not notice that bevor ..
>> there is a
>>   max_ints = TSL2583_MAX_LUX_TABLE_ENTRIES * 3
>>
>> IMHO this should read either:
>>    int value[max_ints+1];
> 
> I originally went this route when I refactored the function, however
> running make C=1 yields the following warnings:
> 
> drivers/iio/light/tsl2583.c:568:19: warning: Variable length array is
> used.
> drivers/iio/light/tsl2583.c:574:26: error: cannot size expression
> 
> That is why I went with the current implementation.
> 
>> or
>>   max_ints=ARRAY_SIZE(value)-1;
>>
>> (my personal favorite is dropping max_ints completely).
> 
> The max_ints value is also shown in the error message if the user passes
> in too many or too few entries in the per device lux table. I wanted the
> user to see the maximum allowable number without having to dig through
> the kernel source code. Without it, I would have had to duplicate the
> TSL2583_MAX_LUX_TABLE_ENTRIES * 3 statement a third time.
> 
> Brian
> 


Hello Brian, thanks for the replay,

i have no problem when people so such things intentional but some times
people do this unintentional. When i review code, i see it as part of my
job to challenge constructs where i get a strange feeling.

re,
 wh


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ