| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 May 2020 06:37:17 +0000
From: Avri Altman <Avri.Altman@....com>
To: Bean Huo <huobean@...il.com>,
"alim.akhtar@...sung.com" <alim.akhtar@...sung.com>,
"asutoshd@...eaurora.org" <asutoshd@...eaurora.org>,
"jejb@...ux.ibm.com" <jejb@...ux.ibm.com>,
"martin.petersen@...cle.com" <martin.petersen@...cle.com>,
"stanley.chu@...iatek.com" <stanley.chu@...iatek.com>,
"beanhuo@...ron.com" <beanhuo@...ron.com>,
"bvanassche@....org" <bvanassche@....org>,
"tomas.winkler@...el.com" <tomas.winkler@...el.com>,
"cang@...eaurora.org" <cang@...eaurora.org>
CC: "linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v4 3/4] scsi: ufs: cleanup ufs initialization path
> - case QUERY_DESC_IDN_RFU_0:
> - case QUERY_DESC_IDN_RFU_1:
You forgot to check that desc_id < QUERY_DESC_IDN_MAX
> + if (desc_id == QUERY_DESC_IDN_RFU_0 || desc_id ==
> QUERY_DESC_IDN_RFU_1)
> *desc_len = 0;
> - break;
> - default:
> - *desc_len = 0;
> - return -EINVAL;
> - }
> - return 0;
> + else
> + *desc_len = hba->desc_size[desc_id];
> }
> EXPORT_SYMBOL(ufshcd_map_desc_id_to_length);
>
> +static void ufshcd_update_desc_length(struct ufs_hba *hba,
> + enum desc_idn desc_id,
> + unsigned char desc_len)
> +{
> + if (hba->desc_size[desc_id] == QUERY_DESC_MAX_SIZE &&
> + desc_id != QUERY_DESC_IDN_STRING)
> + hba->desc_size[desc_id] = desc_len;
> +}
> +
> /**
> * ufshcd_read_desc_param - read the specified descriptor parameter
> * @hba: Pointer to adapter instance
> @@ -3168,16 +3105,11 @@ int ufshcd_read_desc_param(struct ufs_hba
> *hba,
> if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
> return -EINVAL;
>
> - /* Get the max length of descriptor from structure filled up at probe
> - * time.
> - */
> - ret = ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
> -
> - /* Sanity checks */
> - if (ret || !buff_len) {
> - dev_err(hba->dev, "%s: Failed to get full descriptor length",
> - __func__);
> - return ret;
> + /* Get the length of descriptor */
> + ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
> + if (!buff_len) {
> + dev_err(hba->dev, "%s: Failed to get desc length", __func__);
> + return -EINVAL;
> }
>
> /* Check whether we need temp memory */
The first time we are reading the descriptor, we no longer can rely on its true size.
So for this check, buff_len is 256 and kmalloc will always happen.
Do you think that this check is still relevant?
/* Check whether we need temp memory */
if (param_offset != 0 || param_size < buff_len) {
desc_buf = kmalloc(buff_len, GFP_KERNEL);
if (!desc_buf)
return -ENOMEM;
} else {
desc_buf = param_read_buf;
is_kmalloc = false;
}
> @@ -3209,6 +3141,9 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
> goto out;
> }
>
> + ufshcd_update_desc_length(hba, desc_id,
> + desc_buf[QUERY_DESC_LENGTH_OFFSET]);
> +
> /* Check wherher we will not copy more data, than available */
> if (is_kmalloc && param_size > buff_len)
> param_size = buff_len;
And here, we might want to update buff_len to hold the true descriptor size,
Before checking the copy-back buffer.
Thanks,
Avri
Powered by blists - more mailing lists