lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 20 Feb 2019 14:58:27 -0700
From:   Nick Crews <ncrews@...omium.org>
To:     bleung@...omium.org, enric.balletbo@...labora.com
Cc:     linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org,
        dan.carpenter@...cle.com, dlaurie@...omium.org, ncrews@...omium.org
Subject: [PATCH -next] platform/chrome: Fix off-by-one error in wilco_ec/debugfs.c

Before, in debugfs.c it was possible to supply only the message type,
and not supply any other arguments when sending raw commands. However,
this is never used by the EC, and it led to an underflow error. Now,
just don't allow too short of a command, we will never need
that anyways.

Fixes: 46c7fd06f8c9 ("platform/chrome: wilco_ec: Add support for raw commands in debugfs")
Signed-off-by: Nick Crews <ncrews@...omium.org>
---
 drivers/platform/chrome/wilco_ec/debugfs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/platform/chrome/wilco_ec/debugfs.c b/drivers/platform/chrome/wilco_ec/debugfs.c
index 46ff3b6c46c7..c090db2cd5be 100644
--- a/drivers/platform/chrome/wilco_ec/debugfs.c
+++ b/drivers/platform/chrome/wilco_ec/debugfs.c
@@ -136,8 +136,8 @@ static ssize_t raw_write(struct file *file, const char __user *user_buf,
 	ret = parse_hex_sentence(buf, kcount, request_data, TYPE_AND_DATA_SIZE);
 	if (ret < 0)
 		return ret;
-	/* Need at least two bytes for message type */
-	if (ret < 2)
+	/* Need at least two bytes for message type and one for command */
+	if (ret < 3)
 		return -EINVAL;
 
 	/* Clear response data buffer */
@@ -145,7 +145,7 @@ static ssize_t raw_write(struct file *file, const char __user *user_buf,
 
 	msg.type = request_data[0] << 8 | request_data[1];
 	msg.flags = WILCO_EC_FLAG_RAW;
-	msg.command = ret > 2 ? request_data[2] : 0;
+	msg.command = request_data[2];
 	msg.request_data = ret > 3 ? request_data + 3 : 0;
 	msg.request_size = ret - 3;
 	msg.response_data = debug_info->raw_data;

Powered by blists - more mailing lists