lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 24 Apr 2018 16:35:33 +0200
From:   Takashi Iwai <tiwai@...e.de>
To:     Oleksandr Andrushchenko <andr2000@...il.com>
Cc:     alsa-devel@...a-project.org, xen-devel@...ts.xenproject.org,
        boris.ostrovsky@...cle.com, konrad.wilk@...cle.com, perex@...ex.cz,
        Juergen Gross <jgross@...e.com>, linux-kernel@...r.kernel.org,
        Oleksandr Andrushchenko <oleksandr_andrushchenko@...m.com>
Subject: Re: [PATCH v2 3/5] ALSA: xen-front: Implement Xen event channel handling

On Tue, 24 Apr 2018 16:29:15 +0200,
Oleksandr Andrushchenko wrote:
> 
> On 04/24/2018 05:20 PM, Takashi Iwai wrote:
> > On Mon, 16 Apr 2018 08:24:51 +0200,
> > Oleksandr Andrushchenko wrote:
> >> +static irqreturn_t evtchnl_interrupt_req(int irq, void *dev_id)
> >> +{
> >> +	struct xen_snd_front_evtchnl *channel = dev_id;
> >> +	struct xen_snd_front_info *front_info = channel->front_info;
> >> +	struct xensnd_resp *resp;
> >> +	RING_IDX i, rp;
> >> +	unsigned long flags;
> >> +
> >> +	if (unlikely(channel->state != EVTCHNL_STATE_CONNECTED))
> >> +		return IRQ_HANDLED;
> >> +
> >> +	spin_lock_irqsave(&front_info->io_lock, flags);
> >> +
> >> +again:
> >> +	rp = channel->u.req.ring.sring->rsp_prod;
> >> +	/* ensure we see queued responses up to rp */
> >> +	rmb();
> >> +
> >> +	for (i = channel->u.req.ring.rsp_cons; i != rp; i++) {
> > I'm not familiar with Xen stuff in general, but through a quick
> > glance, this kind of code worries me a bit.
> >
> > If channel->u.req.ring.rsp_cons has a bogus number, this may lead to a
> > very long loop, no?  Better to have a sanity check of the ring buffer
> > size.
> In this loop I have:
> resp = RING_GET_RESPONSE(&channel->u.req.ring, i);
> and the RING_GET_RESPONSE macro is designed in the way that
> it wraps around when *i* in the question gets bigger than
> the ring size:
> 
> #define RING_GET_REQUEST(_r, _idx)                    \
>     (&((_r)->sring->ring[((_idx) & (RING_SIZE(_r) - 1))].req))
> 
> So, even if the counter has a bogus number it will not last long

Hm, this prevents from accessing outside the ring buffer, but does it
change the loop behavior?

Suppose channel->u.req.ring_rsp_cons = 1, and rp = 0, the loop below
would still consume the whole 32bit counts, no?

	for (i = channel->u.req.ring.rsp_cons; i != rp; i++) {
		resp = RING_GET_RESPONSE(&channel->u.req.ring, i);
		...
	}


Takashi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ