lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 25 Feb 2021 14:37:30 +0200
From:   Tony Lindgren <tony@...mide.com>
To:     Krzysztof Kozlowski <krzk@...nel.org>
Cc:     Dan Carpenter <dan.carpenter@...cle.com>,
        Colin King <colin.king@...onical.com>,
        Roger Quadros <rogerq@...nel.org>, linux-omap@...r.kernel.org,
        kernel-janitors@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] memory: gpmc: fix out of bounds read and dereference on
 gpmc_cs[]

* Krzysztof Kozlowski <krzk@...nel.org> [210224 08:11]:
> On Wed, Feb 24, 2021 at 10:55:52AM +0300, Dan Carpenter wrote:
> > On Tue, Feb 23, 2021 at 07:38:21PM +0000, Colin King wrote:
> > > From: Colin Ian King <colin.king@...onical.com>
> > > 
> > > Currently the array gpmc_cs is indexed by cs before it cs is range checked
> > > and the pointer read from this out-of-index read is dereferenced. Fix this
> > > by performing the range check on cs before the read and the following
> > > pointer dereference.
> > > 
> > > Addresses-Coverity: ("Negative array index read")
> > > Fixes: 186401937927 ("memory: gpmc: Move omap gpmc code to live under drivers")
> > > Signed-off-by: Colin Ian King <colin.king@...onical.com>
> > > ---
> > >  drivers/memory/omap-gpmc.c | 7 +++++--
> > >  1 file changed, 5 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
> > > index cfa730cfd145..f80c2ea39ca4 100644
> > > --- a/drivers/memory/omap-gpmc.c
> > > +++ b/drivers/memory/omap-gpmc.c
> > > @@ -1009,8 +1009,8 @@ EXPORT_SYMBOL(gpmc_cs_request);
> > >  
> > >  void gpmc_cs_free(int cs)
> > >  {
> > > -	struct gpmc_cs_data *gpmc = &gpmc_cs[cs];
> > > -	struct resource *res = &gpmc->mem;
> > 
> > There is no actual dereferencing going on here, it just taking the
> > addresses.  But the patch is also harmless and improves readability.
> 
> Hm, in the second line indeed the compiler will just calculate the
> offset of "mem" field against the "gpmc_cs+cs" and return it's probable
> address.
> 
> To me still the code is a little bit non-obvious or obfuscated - first
> you play with the array[index] and then you check the validity of index.

To me it seems the fixes tag is not ideal.. Seems this issue was there
earlier too before moving the code. In any case:

Reviewed-by: Tony Lindgren <tony@...mide.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ