| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <916d89fd-529f-300d-4e32-ea14b4ac64fa@gmail.com>
Date: Sun, 22 Aug 2021 19:15:10 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: "Fabio M. De Francesco" <fmdefrancesco@...il.com>,
Greg KH <gregkh@...uxfoundation.org>
Cc: Larry.Finger@...inger.net, phil@...lpotter.co.uk,
straube.linux@...il.com, linux-staging@...ts.linux.dev,
linux-kernel@...r.kernel.org, Martin Kaiser <martin@...ser.cx>
Subject: Re: [PATCH RFC 0/3] staging: r8188eu: avoid uninit value bugs
On 8/22/21 7:03 PM, Fabio M. De Francesco wrote:
> On Sunday, August 22, 2021 3:31:31 PM CEST Pavel Skripkin wrote:
>> On 8/22/21 4:21 PM, Fabio M. De Francesco wrote:
>> > On Sunday, August 22, 2021 2:39:34 PM CEST Greg KH wrote:
>> >> On Sun, Aug 22, 2021 at 03:10:56PM +0300, Pavel Skripkin wrote:
>> >> > On 8/22/21 1:59 PM, Fabio M. De Francesco wrote:
>> >> > > On Sunday, August 22, 2021 12:09:29 PM CEST Pavel Skripkin wrote:
>> > [...]
>> >> > > So, it's up to the callers to test if (!_rtw_read*()) and then act
>> >> > > accordingly. If they get 0 they should know how to handle the errors.
>> >> >
>> >> > Yes, but _rtw_read*() == 0 indicates 2 states:
>> >> > 1. Error on transfer side
>> >> > 2. Actual register value is 0
>> >>
>> >> That's not a good design, it should be fixed. Note there is the new
>> >> usb_control_msg_recv() function which should probably be used instead
>> >> here, to prevent this problem from happening.
>> >
>> > I think that no functions should return 0 for signaling FAILURE. If I'm not
>> > wrong, the kernel quite always prefers to return 0 on SUCCESS and <0 on
>> > FAILURE. Why don't you just fix this?
>> >
>> That's what I've done in v2. All rtw_read* family will have following
>> prototype in v2:
>>
>> int __must_check _rtw_read8(struct adapter *adapter, u32 addr, u8 *data);
>>
(*)
>> Was it your idea, or you were talking about different approach?
>>
>> With regards,
>> Pavel Skripkin
>
> Pavel,
>
> Yes, it is correct.
>
> However, after that I had time to look at the calls chain and understand what
> each function does and then I saw that my initial proposal should be made
> along with another one...
>
> The calls chain is:
>
> (1) _rtw_read8() <--- (returns the data read from next function in chain)
> (no errors returned, see possible fix in next function)
> (2) usb_read8() <--- (returns the data read from next function in chain)
> (_data_may_be_unitialised_, no errors returned)
> (possible fix: from "u8 data"; to "char data = -1;")
Anyway char will be cast to u8 and -1 will become 0xff. 0xff is still
valid register value, I guess.
> (3) usbctrl_vendorreq() <---- (returns data read from next function in chain)
> (data is always a valid pointer saved to third argument)
> (if it fails, the third argument is unchanged because it
> still has the address of the "data" argument given by the caller) > (4) usb_control_msg() <---- (it always returns how
many bytes read or valid error codes)
> (it _never_ returns 0: either positive or negative values)
>
> I have not yet looked at the usb_control_msg_recv() which Greg talked about.
>
> To summarize: in function (2) "u8 data" should become "char data = -1;".
>
So, anyway caller _should_ somehow receive an error from
usb_control_msg(). We can just change rtw_read{8,16,32} return values
from u{8,16,32} to int32, but anyway it will require all changes, that
I've done in this series, but in slightly different form. I.e temp int32
variable + error checking + casting int to u{8,16,32}.
Doesn't it make sense to just switch to more standard prototype (*)? All
other drivers use this prototype for their private reading functions.
With regards,
Pavel Skripkin
Powered by blists - more mailing lists