lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <X8oLGdtViazqIKDX@localhost>
Date:   Fri, 4 Dec 2020 11:10:33 +0100
From:   Johan Hovold <johan@...nel.org>
To:     Himadri Pandya <himadrispandya@...il.com>
Cc:     johan@...nel.org, gregkh@...uxfoundation.org,
        linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
        linux-kernel-mentees@...ts.linuxfoundation.org
Subject: Re: [PATCH 09/15] usb: serial: io_edgeport: use
 usb_control_msg_recv() and usb_control_msg_send()

On Wed, Nov 04, 2020 at 12:16:57PM +0530, Himadri Pandya wrote:
> The new usb_control_msg_recv() and usb_control_msg_send() nicely wraps
> usb_control_msg() with proper error check. Hence use the wrappers
> instead of calling usb_control_msg() directly.
> 
> Signed-off-by: Himadri Pandya <himadrispandya@...il.com>
> ---
>  drivers/usb/serial/io_edgeport.c | 73 ++++++++++++--------------------
>  1 file changed, 27 insertions(+), 46 deletions(-)
> 
> diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
> index ba5d8df69518..8479d5684af7 100644
> --- a/drivers/usb/serial/io_edgeport.c
> +++ b/drivers/usb/serial/io_edgeport.c
> @@ -568,34 +568,29 @@ static int get_epic_descriptor(struct edgeport_serial *ep)
>  	int result;
>  	struct usb_serial *serial = ep->serial;
>  	struct edgeport_product_info *product_info = &ep->product_info;
> -	struct edge_compatibility_descriptor *epic;
> +	struct edge_compatibility_descriptor epic;
>  	struct edge_compatibility_bits *bits;
>  	struct device *dev = &serial->dev->dev;
>  
>  	ep->is_epic = 0;
>  
> -	epic = kmalloc(sizeof(*epic), GFP_KERNEL);
> -	if (!epic)
> -		return -ENOMEM;
> -
> -	result = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
> -				 USB_REQUEST_ION_GET_EPIC_DESC,
> -				 0xC0, 0x00, 0x00,
> -				 epic, sizeof(*epic),
> -				 300);
> -	if (result == sizeof(*epic)) {
> +	result = usb_control_msg_recv(serial->dev, 0,
> +				      USB_REQUEST_ION_GET_EPIC_DESC, 0xC0,
> +				      0x00, 0x00, &epic, sizeof(epic), 300,
> +				      GFP_KERNEL);
> +	if (result) {

Here's another logical error due to the test being inverted, which
results in the uninitialised stack-allocated buffer to be used for debug
printks (potentially leaking stack data) in case of errors.

>  		ep->is_epic = 1;
> -		memcpy(&ep->epic_descriptor, epic, sizeof(*epic));
> +		memcpy(&ep->epic_descriptor, &epic, sizeof(epic));
>  		memset(product_info, 0, sizeof(struct edgeport_product_info));
>  
> -		product_info->NumPorts = epic->NumPorts;
> +		product_info->NumPorts = epic.NumPorts;
>  		product_info->ProdInfoVer = 0;
> -		product_info->FirmwareMajorVersion = epic->MajorVersion;
> -		product_info->FirmwareMinorVersion = epic->MinorVersion;
> -		product_info->FirmwareBuildNumber = epic->BuildNumber;
> -		product_info->iDownloadFile = epic->iDownloadFile;
> -		product_info->EpicVer = epic->EpicVer;
> -		product_info->Epic = epic->Supports;
> +		product_info->FirmwareMajorVersion = epic.MajorVersion;
> +		product_info->FirmwareMinorVersion = epic.MinorVersion;
> +		product_info->FirmwareBuildNumber = epic.BuildNumber;
> +		product_info->iDownloadFile = epic.iDownloadFile;
> +		product_info->EpicVer = epic.EpicVer;
> +		product_info->Epic = epic.Supports;
>  		product_info->ProductId = ION_DEVICE_ID_EDGEPORT_COMPATIBLE;
>  		dump_product_info(ep, product_info);
>  
> @@ -614,16 +609,12 @@ static int get_epic_descriptor(struct edgeport_serial *ep)
>  		dev_dbg(dev, "  IOSPWriteLCR     : %s\n", bits->IOSPWriteLCR	? "TRUE": "FALSE");
>  		dev_dbg(dev, "  IOSPSetBaudRate  : %s\n", bits->IOSPSetBaudRate	? "TRUE": "FALSE");
>  		dev_dbg(dev, "  TrueEdgeport     : %s\n", bits->TrueEdgeport	? "TRUE": "FALSE");
> -
> -		result = 0;
> -	} else if (result >= 0) {
> +	} else {
>  		dev_warn(&serial->interface->dev, "short epic descriptor received: %d\n",
>  			 result);
>  		result = -EIO;

...and the driver now always fails to probe with -EIO.

>  	}
>  
> -	kfree(epic);
> -
>  	return result;
>  }
>  
> @@ -2168,11 +2159,6 @@ static int rom_read(struct usb_serial *serial, __u16 extAddr,
>  {
>  	int result;
>  	__u16 current_length;
> -	unsigned char *transfer_buffer;
> -
> -	transfer_buffer =  kmalloc(64, GFP_KERNEL);
> -	if (!transfer_buffer)
> -		return -ENOMEM;
>  
>  	/* need to split these reads up into 64 byte chunks */
>  	result = 0;
> @@ -2181,25 +2167,18 @@ static int rom_read(struct usb_serial *serial, __u16 extAddr,
>  			current_length = 64;
>  		else
>  			current_length = length;
> -		result = usb_control_msg(serial->dev,
> -					usb_rcvctrlpipe(serial->dev, 0),
> -					USB_REQUEST_ION_READ_ROM,
> -					0xC0, addr, extAddr, transfer_buffer,
> -					current_length, 300);
> -		if (result < current_length) {
> -			if (result >= 0)
> -				result = -EIO;
> +		result = usb_control_msg_recv(serial->dev, 0,
> +					      USB_REQUEST_ION_READ_ROM, 0xC0,
> +					      addr, extAddr, data,
> +					      current_length, 300, GFP_KERNEL);
> +		if (result)
>  			break;
> -		}
> -		memcpy(data, transfer_buffer, current_length);
> +
>  		length -= current_length;
>  		addr += current_length;
>  		data += current_length;
>  
> -		result = 0;
>  	}
> -
> -	kfree(transfer_buffer);
>  	return result;
>  }

Here a single allocation of a buffer that get's used repeatedly is
replaced with one allocation per iteration. I suggest leaving this as
is.

Please just drop this patch.

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ