| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jul 2020 06:50:47 +0000
From: Roy Im <roy.im.opensource@...semi.com>
To: Jes Sorensen <jes.sorensen@...il.com>,
Roy Im <roy.im.opensource@...semi.com>,
Uwe Kleine-Koenig <u.kleine-koenig@...gutronix.de>,
Bartosz Golaszewski <bgolaszewski@...libre.com>,
Brian Masney <masneyb@...tation.org>,
Dmitry Torokhov <dmitry.torokhov@...il.com>,
Greg KH <gregkh@...uxfoundation.org>,
Lee Jones <lee.jones@...aro.org>, Luca Weiss <luca@...tu.xyz>,
Maximilian Luz <luzmaximilian@...il.com>,
Pascal PAILLET-LME <p.paillet@...com>,
Rob Herring <robh@...nel.org>,
Samuel Ortiz <sameo@...ux.intel.com>,
Thierry Reding <thierry.reding@...il.com>,
Thomas Gleixner <tglx@...utronix.de>
CC: Support Opensource <Support.Opensource@...semi.com>,
"linux-input@...r.kernel.org" <linux-input@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
"linux-pwm@...r.kernel.org" <linux-pwm@...r.kernel.org>
Subject: RE: [PATCH v15 3/3] Input: new da7280 haptic driver
On Fri, July 3, 2020 3:02 AM, Jes Sorensen wrote:
> On 6/29/20 9:01 AM, Roy Im wrote:
> > Adds support for the Dialog DA7280 LRA/ERM Haptic Driver with multiple
> > mode and integrated waveform memory and wideband support.
> > It communicates via an I2C bus to the device.
> >
> > Signed-off-by: Roy Im <roy.im.opensource@...semi.com>
> > ---
> > v15:
> > - Removed some defines and updated some comments.
> > v14:
> > - Updated pwm related code, alignments and comments.
> > v13:
> > - Updated some conditions in pwm function and alignments.
> > v12: No changes.
> > v11:
> > - Updated the pwm related code, comments and typo.
> > v10:
> > - Updated the pwm related function and added some comments.
> > v9:
> > - Removed the header file and put the definitions into the c file.
> > - Updated the pwm code and error logs with %pE
> > v8:
> > - Added changes to support FF_PERIODIC/FF_CUSTOM and FF_CONSTANT.
> > - Updated the dt-related code.
> > - Removed memless related functions.
> > v7:
> > - Added more attributes to handle one value per file.
> > - Replaced and updated the dt-related code and functions called.
> > - Fixed error/functions.
> > v6: No changes.
> > v5: Fixed errors in Kconfig file.
> > v4: Updated code as dt-bindings are changed.
> > v3: No changes.
> > v2: Fixed kbuild error/warning
> >
> >
> > drivers/input/misc/Kconfig | 13 +
> > drivers/input/misc/Makefile | 1 +
> > drivers/input/misc/da7280.c | 1838
> > +++++++++++++++++++++++++++++++++++++++++++
> > 3 files changed, 1852 insertions(+)
> > create mode 100644 drivers/input/misc/da7280.c
>
> [snip]
>
> > +static ssize_t
> > +patterns_store(struct device *dev,
> > + struct device_attribute *attr,
> > + const char *buf,
> > + size_t count)
> > +{
> > + struct da7280_haptic *haptics = dev_get_drvdata(dev);
> > + char cmd[MAX_USER_INPUT_LEN];
> > + struct parse_data_t mem;
> > + unsigned int val;
> > + int error;
> > +
> > + error = regmap_read(haptics->regmap, DA7280_MEM_CTL1, &val);
> > + if (error)
> > + return error;
> > +
> > + if (count > MAX_USER_INPUT_LEN)
> > + memcpy(cmd, buf, MAX_USER_INPUT_LEN);
> > + else
> > + memcpy(cmd, buf, count);
> > +
> > + /* chop of '\n' introduced by echo at the end of the input */
> > + if (cmd[count - 1] == '\n')
> > + cmd[count - 1] = '\0';
>
> You have a potential memory corruption bug here for the case where count > MAX_USER_INPUT_LEN. The code
> correctly clamps the memcpy() length, but it still is at risk of writing beyond the end of the cmd buffer when doing the \0
> termination.
>
> If you change the code above to say
>
> if (count > MAX_USER_INPUT_LEN)
> count = MAX_USER_INPUT_LEN
> memcpy(cmd, buf, count);
>
> it should take care of it, and it will also return the actual count written to the caller.
You are right and thanks for your comment, I will change the code as you suggested.
Kind regards,
Roy
Powered by blists - more mailing lists