| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <d6ef63bb-12e5-b530-d8cb-8f05a47a9e19@codeaurora.org>
Date: Tue, 10 Nov 2020 14:23:57 -0800
From: "Asutosh Das (asd)" <asutoshd@...eaurora.org>
To: Can Guo <cang@...eaurora.org>, nguyenb@...eaurora.org,
hongwus@...eaurora.org, rnayak@...eaurora.org,
linux-scsi@...r.kernel.org, kernel-team@...roid.com,
saravanak@...gle.com, salyzyn@...gle.com
Cc: Alim Akhtar <alim.akhtar@...sung.com>,
Avri Altman <avri.altman@....com>,
"James E.J. Bottomley" <jejb@...ux.ibm.com>,
"Martin K. Petersen" <martin.petersen@...cle.com>,
Stanley Chu <stanley.chu@...iatek.com>,
Bean Huo <beanhuo@...ron.com>,
Bart Van Assche <bvanassche@....org>,
open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 1/1] scsi: ufs: Fix unexpected values get from
ufshcd_read_desc_param()
On 10/21/2020 10:59 PM, Can Guo wrote:
> Since WB feature has been added, WB related sysfs entries can be accessed
> even when an UFS device does not support WB feature. In that case, the
> descriptors which are not supported by the UFS device may be wrongly
> reported when they are accessed from their corrsponding sysfs entries.
> Fix it by adding a sanity check of parameter offset against the actual
> decriptor length.
>
> Signed-off-by: Can Guo <cang@...eaurora.org>
> ---
Reviewed-by: Asutosh Das <asutoshd@...eaurora.org>
> drivers/scsi/ufs/ufshcd.c | 24 +++++++++++++++---------
> 1 file changed, 15 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/scsi/ufs/ufshcd.c b/drivers/scsi/ufs/ufshcd.c
> index a2ebcc8..aeec10d 100644
> --- a/drivers/scsi/ufs/ufshcd.c
> +++ b/drivers/scsi/ufs/ufshcd.c
> @@ -3184,13 +3184,19 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
> /* Get the length of descriptor */
> ufshcd_map_desc_id_to_length(hba, desc_id, &buff_len);
> if (!buff_len) {
> - dev_err(hba->dev, "%s: Failed to get desc length", __func__);
> + dev_err(hba->dev, "%s: Failed to get desc length\n", __func__);
> + return -EINVAL;
> + }
> +
> + if (param_offset >= buff_len) {
> + dev_err(hba->dev, "%s: Invalid offset 0x%x in descriptor IDN 0x%x, length 0x%x\n",
> + __func__, param_offset, desc_id, buff_len);
> return -EINVAL;
> }
>
> /* Check whether we need temp memory */
> if (param_offset != 0 || param_size < buff_len) {
> - desc_buf = kmalloc(buff_len, GFP_KERNEL);
> + desc_buf = kzalloc(buff_len, GFP_KERNEL);
> if (!desc_buf)
> return -ENOMEM;
> } else {
> @@ -3204,14 +3210,14 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
> desc_buf, &buff_len);
>
> if (ret) {
> - dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d",
> + dev_err(hba->dev, "%s: Failed reading descriptor. desc_id %d, desc_index %d, param_offset %d, ret %d\n",
> __func__, desc_id, desc_index, param_offset, ret);
> goto out;
> }
>
> /* Sanity check */
> if (desc_buf[QUERY_DESC_DESC_TYPE_OFFSET] != desc_id) {
> - dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header",
> + dev_err(hba->dev, "%s: invalid desc_id %d in descriptor header\n",
> __func__, desc_buf[QUERY_DESC_DESC_TYPE_OFFSET]);
> ret = -EINVAL;
> goto out;
> @@ -3221,12 +3227,12 @@ int ufshcd_read_desc_param(struct ufs_hba *hba,
> buff_len = desc_buf[QUERY_DESC_LENGTH_OFFSET];
> ufshcd_update_desc_length(hba, desc_id, desc_index, buff_len);
>
> - /* Check wherher we will not copy more data, than available */
> - if (is_kmalloc && (param_offset + param_size) > buff_len)
> - param_size = buff_len - param_offset;
> -
> - if (is_kmalloc)
> + if (is_kmalloc) {
> + /* Make sure we don't copy more data than available */
> + if (param_offset + param_size > buff_len)
> + param_size = buff_len - param_offset;
> memcpy(param_read_buf, &desc_buf[param_offset], param_size);
> + }
> out:
> if (is_kmalloc)
> kfree(desc_buf);
>
--
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
Linux Foundation Collaborative Project
Powered by blists - more mailing lists