lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4ee3ce4f-f544-700c-bc8d-817cea35137a@flowbird.group>
Date:   Fri, 22 Nov 2019 18:43:48 +0100
From:   Martin Fuzzey <martin.fuzzey@...wbird.group>
To:     Sebastian Reichel <sebastian.reichel@...labora.com>,
        Dmitry Torokhov <dmitry.torokhov@...il.com>,
        Ahmet Inan <inan@...tec.de>
Cc:     linux-input@...r.kernel.org, linux-kernel@...r.kernel.org,
        kernel@...labora.com
Subject: Re: [PATCHv1 2/2] Input: EXC3000: Add support to query model and
 fw_version

Hi Sebastian,

On 07/11/2019 19:10, Sebastian Reichel wrote:
> Expose model and fw_version via sysfs. Also query the model
> in probe to make sure, that the I2C communication with the
> device works before successfully probing the driver.
>
> Signed-off-by: Sebastian Reichel <sebastian.reichel@...labora.com>
> ---
>   drivers/input/touchscreen/exc3000.c | 136 ++++++++++++++++++++++++++++
>   1 file changed, 136 insertions(+)
>
> diff --git a/drivers/input/touchscreen/exc3000.c b/drivers/input/touchscreen/exc3000.c
> index 7d695022082c..4c9f132629b9 100644
> --- a/drivers/input/touchscreen/exc3000.c
> +++ b/drivers/input/touchscreen/exc3000.c
> @@ -41,6 +41,11 @@ struct exc3000_data {
>   	struct touchscreen_properties prop;
>   	struct timer_list timer;
>   	u8 buf[2 * EXC3000_LEN_FRAME];
> +	char model[11];
> +	char fw_version[6];

These buffers are too small.

I know those are the values shown in the EETI "I2C Programming Guide" 
but, on my exc80H32 I have 16 bytes for the model and 14 for the fw_version.

It may even be possible to have larger, depends on the firmware / config 
blob that has been loaded.

The guide seems to be mostly an example. As nothing else is sent in the 
reply message, worst case the full frame would be filled.


>   
> +static void exc3000_query_interrupt(struct exc3000_data *data)
> +{
> +	u8 *buf = data->buf;
> +	int err;
> +
> +	data->query_result = 0;
> +
> +	err = i2c_master_recv(data->client, buf, EXC3000_LEN_FRAME);
> +	if (err < 0) {
> +		data->query_result = err;
> +		goto out;
> +	}
> +
> +	if (buf[0] == 0x42 && buf[4] == 'E') {
> +		memcpy(data->model, buf+5, 10);
> +		data->model[10] = '\0';

Maybe use sizeof() to avoid the hard coded 10?

> +		goto out;
> +	} else if (buf[0] == 0x42 && buf[4] == 'D') {
> +		memcpy(data->fw_version, buf+5, 5);
> +		data->fw_version[5] = '\0';
> +		goto out;
> +	}
> +


Ok so at least there won't be a buffer overflow but it will truncate.


> +static DEVICE_ATTR(fw_version, S_IRUGO, exc3000_get_fw_version, NULL);
> +


Maybe use DEVICE_ATTR_RO  to reduce the amount of boilerplate?


> +	input->dev.groups = exc3000_attribute_groups;


Hum, this adds the attributes to the input device (in /sys/class/input) 
but these attributes are really for the whole I2C device.

Wouldn't it be better to use devm_device_add_group() to add them to the 
I2C device?


> +	for (retry = 0; retry < 3; ++retry) {
> +		error = exc3000_get_model(data);
> +		if (!error) {
> +			break;
> +		}
> +		dev_warn(&client->dev, "Retry %d get EETI EXC3000 model: %d\n", retry + 1, error);
> +	}
> +


Is there a particular reason why retries are needed?


Regards,


Martin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ