lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <SN6PR04MB464078AE07966E53FFB237F5FC8C0@SN6PR04MB4640.namprd04.prod.outlook.com>
Date:   Sat, 30 May 2020 06:37:17 +0000
From:   Avri Altman <Avri.Altman@....com>
To:     Bean Huo <huobean@...il.com>,
        "alim.akhtar@...sung.com" <alim.akhtar@...sung.com>,
        "asutoshd@...eaurora.org" <asutoshd@...eaurora.org>,
        "jejb@...ux.ibm.com" <jejb@...ux.ibm.com>,
        "martin.petersen@...cle.com" <martin.petersen@...cle.com>,
        "stanley.chu@...iatek.com" <stanley.chu@...iatek.com>,
        "beanhuo@...ron.com" <beanhuo@...ron.com>,
        "bvanassche@....org" <bvanassche@....org>,
        "tomas.winkler@...el.com" <tomas.winkler@...el.com>,
        "cang@...eaurora.org" <cang@...eaurora.org>
CC:     "linux-scsi@...r.kernel.org" <linux-scsi@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: RE: [PATCH v4 3/4] scsi: ufs: cleanup ufs initialization path

> -       case QUERY_DESC_IDN_RFU_0:
> -       case QUERY_DESC_IDN_RFU_1:
You forgot to check that desc_id < QUERY_DESC_IDN_MAX

> +       if (desc_id == QUERY_DESC_IDN_RFU_0 || desc_id ==
> QUERY_DESC_IDN_RFU_1)
>                 *desc_len = 0;
> -               break;
> -       default:
> -               *desc_len = 0;
> -               return -EINVAL;
> -       }
> -       return 0;
> +       else
> +               *desc_len = hba->desc_size[desc_id];
>  }
>  EXPORT_SYMBOL(ufshcd_map_desc_id_to_length);
> 
> +static void ufshcd_update_desc_length(struct ufs_hba *hba,
> +                                     enum desc_idn desc_id,
> +                                     unsigned char desc_len)
> +{
> +       if (hba->desc_size[desc_id] == QUERY_DESC_MAX_SIZE &&
> +           desc_id != QUERY_DESC_IDN_STRING)
> +               hba->desc_size[desc_id] = desc_len;
> +}
> +
>  /**
>   * ufshcd_read_desc_param - read the specified descriptor parameter
>   * @hba: Pointer to adapter instance
> @@ -3168,16 +3105,11 @@ int ufshcd_read_desc_param(struct ufs_hba
> *hba,
>         if (desc_id >= QUERY_DESC_IDN_MAX || !param_size)
>                 return -EINVAL;
> 
> -       /* Get the max length of descriptor from structure filled up at probe
> -        * time.
> -        */
> -       ret = ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
> -
> -       /* Sanity checks */
> -       if (ret || !buff_len) {
> -               dev_err(hba->dev, "%s: Failed to get full descriptor length",
> -                       __func__);
> -               return ret;
> +       /* Get the length of descriptor */
> +       ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
> +       if (!buff_len) {
> +               dev_err(hba->dev, "%s: Failed to get desc length", __func__);
> +               return -EINVAL;
>         }
> 
>         /* Check whether we need temp memory */
The first time we are reading the descriptor, we no longer can rely on its true size.
So for this check, buff_len is 256 and kmalloc will always happen. 
Do you think that this check is still relevant?

/* Check whether we need temp memory */
        if (param_offset != 0 || param_size < buff_len) {
                desc_buf = kmalloc(buff_len, GFP_KERNEL);
                if (!desc_buf)
                        return -ENOMEM;
        } else {
                desc_buf = param_read_buf;
                is_kmalloc = false;
        }


> @@ -3209,6 +3141,9 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
>                 goto out;
>         }
> 
> +       ufshcd_update_desc_length(hba, desc_id,
> +                                 desc_buf[QUERY_DESC_LENGTH_OFFSET]);
> +
>         /* Check wherher we will not copy more data, than available */
>         if (is_kmalloc && param_size > buff_len)
>                 param_size = buff_len;
And here, we might want to update buff_len to hold the true descriptor size,
Before checking the copy-back buffer.

Thanks,
Avri

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ