lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMZ6Rq+xJv+NVHAUYjT+-MLeO+Owoo03T2hzaA9tOKLstxU0uA@mail.gmail.com>
Date:   Wed, 10 Mar 2021 03:18:53 +0900
From:   Vincent MAILHOL <mailhol.vincent@...adoo.fr>
To:     Jimmy Assarsson <jimmyassarsson@...il.com>
Cc:     Arunachalam Santhanam <arunachalam.santhanam@...bosch.com>,
        open list <linux-kernel@...r.kernel.org>,
        Marc Kleine-Budde <mkl@...gutronix.de>,
        linux-can <linux-can@...r.kernel.org>
Subject: Re: [RESEND v12] can: usb: etas_es58X: add support for ETAS ES58X CAN
 USB interfaces

On Wed. 10 Mar 2021 at 03:11, Vincent MAILHOL
<mailhol.vincent@...adoo.fr> wrote:
>
> On Wed. 10 Mar 2021 at 02:27, Jimmy Assarsson <jimmyassarsson@...il.com> wrote:
> >
> > Hi Vincent,
> >
> > On 2021-03-09 13:09, Vincent Mailhol wrote:
> > > This driver supports the ES581.4, ES582.1 and ES584.1 interfaces from
> > > ETAS GmbH (https://www.etas.com/en/products/es58x.php).
> > ...
> > > diff --git a/drivers/net/can/usb/etas_es58x/es58x_core.c b/drivers/net/can/usb/etas_es58x/es58x_core.c
> > > new file mode 100644
> > > index 000000000000..31f907a7b75f
> > > --- /dev/null
> > > +++ b/drivers/net/can/usb/etas_es58x/es58x_core.c
> > ...
> > > +/**
> > > + * es58x_add_skb_idx() - Increment an index of the loopback FIFO.
> > > + * @priv: ES58X private parameters related to the network device.
> > > + * @idx: address of the index to be incremented.
> > > + * @a: the increment. Must be positive and less or equal to
> > > + *   @priv->can.echo_skb_max.
> > > + *
> > > + * Do a modulus addition: set *@idx to (*@idx + @a) %
> > > + * @priv->can.echo_skb_max.
> > > + *
> > > + * Rationale: the modulus operator % takes a decent amount of CPU
> > > + * cycles (c.f. other division functions such as
> > > + * include/linux/math64.h:iter_div_u64_rem()).
> > > + */
> > > +static __always_inline void es58x_add_skb_idx(struct es58x_priv *priv,
> > > +                                           u16 *idx, u16 a)
> >
> > Never used?
>
> Indeed, this is a leftover. Should have been removed in v11 when I
> made the device FIFO size a power of two.
> I was not warned by the compiler, probably because this is an inline function.
>
> > ...
> > > +/**
> > > + * es58x_get_product_info() - Get the product information and print them.
> > > + * @es58x_dev: ES58X device.
> > > + *
> > > + * Do a synchronous call to get the product information.
> > > + *
> > > + * Return: zero on success, errno when any error occurs.
> > > + */
> > > +static int es58x_get_product_info(struct es58x_device *es58x_dev)
> > > +{
> > > +     struct usb_device *udev = es58x_dev->udev;
> > > +     const int es58x_prod_info_idx = 6;
> > > +     /* Empirical tests show a prod_info length of maximum 83,
> > > +      * below should be more than enough.
> > > +      */
> > > +     const size_t prod_info_len = 127;
> > > +     char *prod_info;
> > > +     int ret;
> > > +
> > > +     prod_info = kmalloc(prod_info_len, GFP_KERNEL);
> > > +     if (!prod_info)
> > > +             return -ENOMEM;
> > > +
> > > +     ret = usb_string(udev, es58x_prod_info_idx, prod_info, prod_info_len);
> > > +     if (ret < 0) {
> > > +             dev_err(es58x_dev->dev,
> > > +                     "%s: Could not read the product info: %pe\n",
> > > +                     __func__, ERR_PTR(ret));
> >
> > Missing free
>
> Absolutely!
>
> > > +             return ret;
> > > +     } else if (ret >= prod_info_len - 1) {
> > > +             dev_warn(es58x_dev->dev,
> > > +                      "%s: Buffer is too small, result might be truncated\n",
> > > +                      __func__);
> > > +     }
> > > +     dev_info(es58x_dev->dev, "Product info: %s\n", prod_info);
> > > +     kfree(prod_info);
> > > +
> > > +     return 0;
> > > +}
>
> Thanks for the two findings, both will be fixed in v13.

Out of curiosity, did you find the two issues throughout a code
review or did you use any kind of static analysis tool?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ