lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20171204103356.cxmblmuvva3kjst6@mwanda>
Date:   Mon, 4 Dec 2017 13:33:56 +0300
From:   Dan Carpenter <dan.carpenter@...cle.com>
To:     Simon Sandström <simon@...anor.nu>
Cc:     gregkh@...uxfoundation.org, devel@...verdev.osuosl.org,
        linux@...f-Entwicklungen.de, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 6/6] staging: pi433: Rename enum modShaping in rf69_enum.h

On Sun, Dec 03, 2017 at 04:17:26PM +0100, Simon Sandström wrote:
> diff --git a/drivers/staging/pi433/pi433_if.h b/drivers/staging/pi433/pi433_if.h
> index 34ff0d4807bd..bcfe29840889 100644
> --- a/drivers/staging/pi433/pi433_if.h
> +++ b/drivers/staging/pi433/pi433_if.h
> @@ -63,7 +63,7 @@ struct pi433_tx_cfg {
>  	__u16			bit_rate;
>  	__u32			dev_frequency;
>  	enum modulation		modulation;
> -	enum modShaping		modShaping;
> +	enum mod_shaping	mod_shaping;
>  

I looked at how mod_shaping is set and the only place is in the ioctl:

   789          case PI433_IOC_WR_TX_CFG:
   790                  if (copy_from_user(&instance->tx_cfg, argp,
   791                                          sizeof(struct pi433_tx_cfg)))
   792                          return -EFAULT;
   793                  break;

We just write over the whole config.  Including important things like
rx_cfg.fixed_message_length.  There is no locking so when we do things
like:

   385          /* fixed or unlimited length? */
   386          if (dev->rx_cfg.fixed_message_length != 0)
   387          {
   388                  if (dev->rx_cfg.fixed_message_length > dev->rx_buffer_size)
                            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
check

   389                  {
   390                          retval = -1;
   391                          goto abort;
   392                  }
   393                  bytes_total = dev->rx_cfg.fixed_message_length;
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
set this in the ioctl after the check but before this line and it looks
like a security problem.

   394                  dev_dbg(dev->dev,"rx: msg len set to %d by fixed length", bytes_total);
   395          }

Anyway, I guess this patch is fine.

regards,
dan carpenter

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ