lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Fri, 01 May 2020 19:38:52 -0700
From:   bbhatt@...eaurora.org
To:     Jeffrey Hugo <jhugo@...eaurora.org>
Cc:     mani@...nel.org, linux-arm-msm@...r.kernel.org,
        linux-kernel@...r.kernel.org, hemantk@...eaurora.org,
        linux-arm-msm-owner@...r.kernel.org
Subject: Re: [PATCH v3 6/9] bus: mhi: core: WARN_ON for malformed vector table

On 2020-04-30 08:02, Jeffrey Hugo wrote:
> On 4/29/2020 2:52 PM, Bhaumik Bhatt wrote:
>> Add a bounds check in the firmware copy routine to exit if a malformed
>> vector table is found while attempting to load the firmware in to the
>> BHIe vector table.
>> 
>> Signed-off-by: Bhaumik Bhatt <bbhatt@...eaurora.org>
>> ---
>>   drivers/bus/mhi/core/boot.c | 6 ++++++
>>   1 file changed, 6 insertions(+)
>> 
>> diff --git a/drivers/bus/mhi/core/boot.c b/drivers/bus/mhi/core/boot.c
>> index 17c636b..bc70edc 100644
>> --- a/drivers/bus/mhi/core/boot.c
>> +++ b/drivers/bus/mhi/core/boot.c
>> @@ -362,8 +362,14 @@ static void mhi_firmware_copy(struct 
>> mhi_controller *mhi_cntrl,
>>   	int i = 0;
>>   	struct mhi_buf *mhi_buf = img_info->mhi_buf;
>>   	struct bhi_vec_entry *bhi_vec = img_info->bhi_vec;
>> +	struct device *dev = &mhi_cntrl->mhi_dev->dev;
>>     	while (remainder) {
>> +		if (WARN_ON(i >= img_info->entries)) {
>> +			dev_err(dev, "Malformed vector table\n");
> 
> I feel like this message needs more detail.  At a minimum, I think it
> should indicate what vector table (BHIe).  I think if you can identify
> what file, etc the the glitch is in, that would be better.  Maybe some
> detail about i and img_info->entries.
> 
> If I see this error message, I should have enough information to
> immediately debug the issue.  If it tells enough to go directly into
> the firmware file and have a look at entry X to see what might be
> corrupt about it, that makes my debugging very efficient.  If I have
> to go back to the code to figure out what "Malformed vector table"
> means, and then maybe apply a patch to get more data about the error -
> the error message is not as useful as it should be.
> 

I plan on dropping this patch as it looks like an unnecessary check 
since we
will always rely on the firmware->size from the request_firmware() API 
in order
to calculate the img_info->entries (or we can call it the number of 
segments, in
our case). And we will never fail in the if loop as values will already 
be
bounded.

>> +			return;
>> +		}
>> +
>>   		to_cpy = min(remainder, mhi_buf->len);
>>   		memcpy(mhi_buf->buf, buf, to_cpy);
>>   		bhi_vec->dma_addr = mhi_buf->dma_addr;
>> 

Powered by blists - more mailing lists