| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Aug 2021 12:16:25 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: Dan Carpenter <dan.carpenter@...cle.com>
Cc: Larry.Finger@...inger.net, phil@...lpotter.co.uk,
gregkh@...uxfoundation.org, straube.linux@...il.com,
fmdefrancesco@...il.com, linux-staging@...ts.linux.dev,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 3/6] staging: r8188eu: add error handling of rtw_read8
On 8/27/21 12:07 PM, Dan Carpenter wrote:
> On Tue, Aug 24, 2021 at 10:27:27AM +0300, Pavel Skripkin wrote:
>> @@ -83,7 +83,12 @@ int proc_get_read_reg(char *page, char **start,
>>
>> switch (proc_get_read_len) {
>> case 1:
>> - len += snprintf(page + len, count - len, "rtw_read8(0x%x)=0x%x\n", proc_get_read_addr, rtw_read8(padapter, proc_get_read_addr));
>> + error = rtw_read8(padapter, proc_get_read_addr, (u8 *) &tmp);
>> + if (error)
>> + return len;
>> +
>> + len += snprintf(page + len, count - len, "rtw_read8(0x%x)=0x%x\n",
>> + proc_get_read_addr, (u8) tmp);
>> break;
>
> Oh my goodness... :P
>
> If you look at what proc_get_read_addr is, it turns out it's a 32bit
> address which is controlled by the user in proc_set_read_reg(). LOL!
> Just a giant security hole.
>
> My advise is just delete this dead code. No one is using it so how
> necessary can it be?
Yep, it's dead code as was already mentioned. My plan is to convert all
this code to sysfs. One thing I am wondering about should I include
these changes into this series?...
With regards,
Pavel Skripkin
Powered by blists - more mailing lists