lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 18 Feb 2020 15:41:12 +0800
From:   Macpaul Lin <macpaul.lin@...iatek.com>
To:     Alexander Viro <viro@...iv.linux.org.uk>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Shen Jing <jingx.shen@...el.com>,
        Sasha Levin <sashal@...nel.org>,
        John Stultz <john.stultz@...aro.org>,
        Macpaul Lin <macpaul.lin@...iatek.com>,
        Andrzej Pietrasiewicz <andrzej.p@...labora.com>,
        Vincent Pelletier <plr.vincent@...il.com>,
        Jerry Zhang <zhangjerry@...gle.com>,
        <linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <linux-arm-kernel@...ts.infradead.org>,
        <linux-mediatek@...ts.infradead.org>
CC:     Mediatek WSD Upstream <wsd_upstream@...iatek.com>,
        CC Hwang <cc.hwang@...iatek.com>,
        Loda Chou <loda.chou@...iatek.com>
Subject: [PATCH] lib: iov_iter.c: fix a possible calculation error on remaining bytes

This issue was found when adbd trying to open functionfs with AIO mode.
Usually, we need to set "setprop sys.usb.ffs.aio_compat 0" to enable
adbd with AIO mode on Android.

When adbd is opening functionfs, it will try to read 24 bytes at the
fisrt read I/O control. If this reading has been failed, adbd will
try to send FUNCTIONFS_CLEAR_HALT to functionfs. When adbd is in AIO
mode, functionfs will be acted with asyncronized I/O path. After the
successful read transfer has been completed by gadget hardware, the
following series of functions will be called.
  ffs_epfile_async_io_complete() -> ffs_user_copy_worker() ->
    copy_to_iter() -> _copy_to_iter() -> copyout() ->
    iterate_and_advance() -> iterate_iovec()

Adding debug trace to these functions, it has been found that in
iterate_iovec(), the calculation result of n will be turned into zero.
   n = wanted - n; /* 0 == n = 24 - 24; */
Which causes copyout() won't copy data to userspace since the length
to be copied "v.iov_len" will be zero, which isn't correct. This also
leads ffs_copy_to_iter() always return -EFAULT. Finally adbd cannot
open functionfs and send FUNCTIONFS_CLEAR_HALT.

Signed-off-by: Macpaul Lin <macpaul.lin@...iatek.com>
---
 lib/iov_iter.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index fb29c02c6a3c..f9334144e259 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -36,7 +36,8 @@
 		skip = __v.iov_len;			\
 		n -= __v.iov_len;			\
 	}						\
-	n = wanted - n;					\
+	if (n != wanted)				\
+		n = wanted - n;				\
 }
 
 #define iterate_kvec(i, n, __v, __p, skip, STEP) {	\
-- 
2.18.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ