| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20211112214337.r5xrpeyjgdygzc3n@SoMainline.org>
Date: Fri, 12 Nov 2021 22:43:37 +0100
From: Marijn Suijten <marijn.suijten@...ainline.org>
To: Daniel Thompson <daniel.thompson@...aro.org>,
phone-devel@...r.kernel.org, Andy Gross <agross@...nel.org>,
Bjorn Andersson <bjorn.andersson@...aro.org>,
Rob Herring <robh+dt@...nel.org>,
Lee Jones <lee.jones@...aro.org>,
Jingoo Han <jingoohan1@...il.com>,
~postmarketos/upstreaming@...ts.sr.ht,
AngeloGioacchino Del Regno
<angelogioacchino.delregno@...ainline.org>,
Konrad Dybcio <konrad.dybcio@...ainline.org>,
Martin Botka <martin.botka@...ainline.org>,
Jami Kettunen <jami.kettunen@...ainline.org>,
Pavel Dubrova <pashadubrova@...il.com>,
Kiran Gunda <kgunda@...eaurora.org>,
Bryan Wu <cooloney@...il.com>, linux-arm-msm@...r.kernel.org,
devicetree@...r.kernel.org, linux-kernel@...r.kernel.org,
dri-devel@...ts.freedesktop.org, linux-fbdev@...r.kernel.org,
Courtney Cavin <courtney.cavin@...ymobile.com>
Subject: Re: [RESEND PATCH v2 04/13] backlight: qcom-wled: Fix off-by-one
maximum with default num_strings
On 2021-11-12 13:35:03, Marijn Suijten wrote:
> On 2021-11-12 12:08:39, Daniel Thompson wrote:
> > On Fri, Nov 12, 2021 at 01:26:57AM +0100, Marijn Suijten wrote:
> > > When not specifying num-strings in the DT the default is used, but +1 is
> > > added to it which turns WLED3 into 4 and WLED4/5 into 5 strings instead
> > > of 3 and 4 respectively, causing out-of-bounds reads and register
> > > read/writes. This +1 exists for a deficiency in the DT parsing code,
> > > and is simply omitted entirely - solving this oob issue - by parsing the
> > > property separately much like qcom,enabled-strings.
> > >
> > > This also allows more stringent checks on the maximum value when
> > > qcom,enabled-strings is provided in the DT. Note that num-strings is
> > > parsed after enabled-strings to give it final sign-off over the length,
> > > which DT currently utilizes to get around an incorrect fixed read of
> > > four elements from that array (has been addressed in a prior patch).
> > >
> > > Fixes: 93c64f1ea1e8 ("leds: add Qualcomm PM8941 WLED driver")
> > > Signed-off-by: Marijn Suijten <marijn.suijten@...ainline.org>
> > > Reviewed-By: AngeloGioacchino Del Regno <angelogioacchino.delregno@...ainline.org>
> > > ---
> > > drivers/video/backlight/qcom-wled.c | 51 +++++++++++------------------
> > > 1 file changed, 19 insertions(+), 32 deletions(-)
> > >
> > > diff --git a/drivers/video/backlight/qcom-wled.c b/drivers/video/backlight/qcom-wled.c
> > > index 977cd75827d7..c5232478a343 100644
> > > --- a/drivers/video/backlight/qcom-wled.c
> > > +++ b/drivers/video/backlight/qcom-wled.c
> > > @@ -1552,6 +1520,25 @@ static int wled_configure(struct wled *wled)
> > > }
> > > }
> > >
> > > + rc = of_property_read_u32(dev->of_node, "qcom,num-strings", &val);
> > > + if (!rc) {
> > > + if (val < 1 || val > wled->max_string_count) {
> > > + dev_err(dev, "qcom,num-strings must be between 1 and %d\n",
> > > + wled->max_string_count);
> > > + return -EINVAL;
> > > + }
> > > +
> > > + if (string_len > 0) {
> > > + dev_warn(dev, "qcom,num-strings and qcom,enabled-strings are ambiguous\n");
> >
> > The warning should also be below the error message on the next if statement.
>
> Agreed.
Thinking about this again while reworking the patches, I initially put
this above the error to make DT writers aware. There's no point telling
them that their values are out of sync (num-strings >
len(enabled-strings)), when they "shouldn't even" (don't need to) set
both in the first place. They might needlessly fix the discrepancy, see
the driver finally probe (working backlight) and carry on without
noticing this warning that now appears.
Sorry for bringing this back up, but I'm curious about your opinion.
- Marijn
Powered by blists - more mailing lists