lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sun, 8 Mar 2020 05:04:08 -0400
From:   George Spelvin <lkml@....org>
To:     linux-kernel@...r.kernel.org, lkml@....org
Cc:     Johan Hovold <johan@...nel.org>
Subject: [RFC PATCH v1 35/50] USB: serial: iuu_phoenix: Use pseudorandom for
 xmas mode

I also fixed a couple of buffer overrun bugs in iuu_led_activity_on,
based on code not expecting the "*buf_ptr++" to have been incremented.

- In xmas mode, the final setting of the period byte to 1 was
  done to buf_ptr[7], which was past the end of the buffer.
- In non-xmas mode, iuu_rgbf_fill_buffer() fills in 8 bytes starting
  with the IUU_SET_LED command.  The net result is duplicating the
  command and writing an extra byte off the end of the buffer.

I rewrote the code to omit the ++, which is more legible.

Not tested because I don't have the hardware, but I don't think
this code has been exercised much anyway.

Signed-off-by: George Spelvin <lkml@....org>
Cc: Johan Hovold <johan@...nel.org>
---
 drivers/usb/serial/iuu_phoenix.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index d5bff69b1769b..7aeea7b5ba8db 100644
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -353,10 +353,11 @@ static void iuu_led_activity_on(struct urb *urb)
 	struct usb_serial_port *port = urb->context;
 	int result;
 	char *buf_ptr = port->write_urb->transfer_buffer;
-	*buf_ptr++ = IUU_SET_LED;
+
 	if (xmas) {
-		get_random_bytes(buf_ptr, 6);
-		*(buf_ptr+7) = 1;
+		buf_ptr[0] = IUU_SET_LED;
+		prandom_bytes(buf_ptr+1, 6);
+		buf_ptr[7] = 1;
 	} else {
 		iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255);
 	}
-- 
2.26.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ