lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <94de6e6d-a2fa-6589-151b-660bbcb42773@gtsys.com.hk>
Date:   Fri, 19 May 2017 20:45:18 +0800
From:   Chris Ruehl <chris.ruehl@...ys.com.hk>
To:     jiada_wang@...tor.com, broonie@...nel.org
Cc:     linux-spi@...r.kernel.org, linux-kernel@...r.kernel.org,
        leonard.crestez@....com
Subject: Re: [PATCH 1/1] spi: imx: fix issue when tx_buf or rx_buf is NULL


On Thursday, May 18, 2017 06:01 PM, jiada_wang@...tor.com wrote:
> From: Jiada Wang <jiada_wang@...tor.com>
>
> In case either transfer->tx_buf or transfer->rx_buf is NULL,
> manipulation of buffer in spi_imx_u32_swap_u[8|16]() will cause
> NULL pointer dereference crash.
>
> Add buffer check at very beginning of spi_imx_u32_swap_u[8|16](),
> to avoid such crash.
>
> Signed-off-by: Jiada Wang <jiada_wang@...tor.com>
> Reported-by: Leonard Crestez <leonard.crestez@....com>
> ---
>  drivers/spi/spi-imx.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
> index 782045f..19b30cf 100644
> --- a/drivers/spi/spi-imx.c
> +++ b/drivers/spi/spi-imx.c
> @@ -288,6 +288,9 @@ static void spi_imx_u32_swap_u8(struct spi_transfer *transfer, u32 *buf)
>  {
>  	int i;
>
> +	if (!buf)
> +		return;
> +
>  	for (i = 0; i < transfer->len / 4; i++)
>  		*(buf + i) = cpu_to_be32(*(buf + i));
>  }
> @@ -296,6 +299,9 @@ static void spi_imx_u32_swap_u16(struct spi_transfer *transfer, u32 *buf)
>  {
>  	int i;
>
> +	if (!buf)
> +		return;
> +
>  	for (i = 0; i < transfer->len / 4; i++) {
>  		u16 *temp = (u16 *)buf;
>
>

Hi, thanks for the patch.

But I think we missing something here. We return from a void function()
so the error keeps hidden. The root cause is calling this functions with a NULL 
pointer. See if you can fix this by find the caller and check if the parameter 
hand over are valid.

Cheers
Chris


-- 
GTSYS Limited RFID Technology
9/F, Unit E, R07, Kwai Shing Industrial Building Phase 2,
42-46 Tai Lin Pai Road, Kwai Chung, N.T., Hong Kong
Tel (852) 9079 9521

Disclaimer: http://www.gtsys.com.hk/email/classified.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ