lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <DB8PR10MB3356C443A448F5B543C58BAC856A0@DB8PR10MB3356.EURPRD10.PROD.OUTLOOK.COM>
Date:   Fri, 3 Jul 2020 06:50:47 +0000
From:   Roy Im <roy.im.opensource@...semi.com>
To:     Jes Sorensen <jes.sorensen@...il.com>,
        Roy Im <roy.im.opensource@...semi.com>,
        Uwe Kleine-Koenig <u.kleine-koenig@...gutronix.de>,
        Bartosz Golaszewski <bgolaszewski@...libre.com>,
        Brian Masney <masneyb@...tation.org>,
        Dmitry Torokhov <dmitry.torokhov@...il.com>,
        Greg KH <gregkh@...uxfoundation.org>,
        Lee Jones <lee.jones@...aro.org>, Luca Weiss <luca@...tu.xyz>,
        Maximilian Luz <luzmaximilian@...il.com>,
        Pascal PAILLET-LME <p.paillet@...com>,
        Rob Herring <robh@...nel.org>,
        Samuel Ortiz <sameo@...ux.intel.com>,
        Thierry Reding <thierry.reding@...il.com>,
        Thomas Gleixner <tglx@...utronix.de>
CC:     Support Opensource <Support.Opensource@...semi.com>,
        "linux-input@...r.kernel.org" <linux-input@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-pwm@...r.kernel.org" <linux-pwm@...r.kernel.org>
Subject: RE: [PATCH v15 3/3] Input: new da7280 haptic driver


On Fri, July 3, 2020 3:02 AM, Jes Sorensen wrote:
> On 6/29/20 9:01 AM, Roy Im wrote:
> > Adds support for the Dialog DA7280 LRA/ERM Haptic Driver with multiple
> > mode and integrated waveform memory and wideband support.
> > It communicates via an I2C bus to the device.
> >
> > Signed-off-by: Roy Im <roy.im.opensource@...semi.com>
> > ---
> > v15:
> > 	- Removed some defines and updated some comments.
> > v14:
> > 	- Updated pwm related code, alignments and comments.
> > v13:
> > 	- Updated some conditions in pwm function and alignments.
> > v12: No changes.
> > v11:
> > 	- Updated the pwm related code, comments and typo.
> > v10:
> > 	- Updated the pwm related function and added some comments.
> > v9:
> > 	- Removed the header file and put the definitions into the c file.
> > 	- Updated the pwm code and error logs with %pE
> > v8:
> > 	- Added changes to support FF_PERIODIC/FF_CUSTOM and FF_CONSTANT.
> > 	- Updated the dt-related code.
> > 	- Removed memless related functions.
> > v7:
> > 	- Added more attributes to handle one value per file.
> > 	- Replaced and updated the dt-related code and functions called.
> > 	- Fixed error/functions.
> > v6: No changes.
> > v5: Fixed errors in Kconfig file.
> > v4: Updated code as dt-bindings are changed.
> > v3: No changes.
> > v2: Fixed kbuild error/warning
> >
> >
> >  drivers/input/misc/Kconfig  |   13 +
> >  drivers/input/misc/Makefile |    1 +
> >  drivers/input/misc/da7280.c | 1838
> > +++++++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 1852 insertions(+)
> >  create mode 100644 drivers/input/misc/da7280.c
> 
> [snip]
> 
> > +static ssize_t
> > +patterns_store(struct device *dev,
> > +	       struct device_attribute *attr,
> > +	       const char *buf,
> > +	       size_t count)
> > +{
> > +	struct da7280_haptic *haptics = dev_get_drvdata(dev);
> > +	char cmd[MAX_USER_INPUT_LEN];
> > +	struct parse_data_t mem;
> > +	unsigned int val;
> > +	int error;
> > +
> > +	error = regmap_read(haptics->regmap, DA7280_MEM_CTL1, &val);
> > +	if (error)
> > +		return error;
> > +
> > +	if (count > MAX_USER_INPUT_LEN)
> > +		memcpy(cmd, buf, MAX_USER_INPUT_LEN);
> > +	else
> > +		memcpy(cmd, buf, count);
> > +
> > +	/* chop of '\n' introduced by echo at the end of the input */
> > +	if (cmd[count - 1] == '\n')
> > +		cmd[count - 1] = '\0';
> 
> You have a potential memory corruption bug here for the case where  count > MAX_USER_INPUT_LEN. The code
> correctly clamps the memcpy() length, but it still is at risk of writing beyond the end of the cmd buffer when doing the \0
> termination.
> 
> If you change the code above to say
> 
> 	if (count > MAX_USER_INPUT_LEN)
> 		count = MAX_USER_INPUT_LEN
> 	memcpy(cmd, buf, count);
> 
> it should take care of it, and it will also return the actual count written to the caller.

You are right and thanks for your comment, I will change the code as you suggested.

Kind regards,
Roy

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ