| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Jan 2022 11:58:21 +0000
From: Jonathan Cameron <jic23@...nel.org>
To: Oleksij Rempel <o.rempel@...gutronix.de>
Cc: devicetree@...r.kernel.org, Lars-Peter Clausen <lars@...afoo.de>,
linux-iio@...r.kernel.org,
Robin van der Gracht <robin@...tonic.nl>,
linux-kernel@...r.kernel.org,
Pengutronix Kernel Team <kernel@...gutronix.de>,
David Jander <david@...tonic.nl>
Subject: Re: [PATCH v1 1/1] iio: adc: tsc2046: fix memory corruption by
preventing array overflow
On Sat, 15 Jan 2022 18:16:59 +0000
Jonathan Cameron <jic23@...nel.org> wrote:
> On Mon, 10 Jan 2022 08:19:45 +0100
> Oleksij Rempel <o.rempel@...gutronix.de> wrote:
>
> > Hi Jonathan,
> >
> > On Sun, Jan 09, 2022 at 03:25:57PM +0000, Jonathan Cameron wrote:
> > > On Fri, 7 Jan 2022 09:14:01 +0100
> > > Oleksij Rempel <o.rempel@...gutronix.de> wrote:
> > >
> > > > On one side we have indio_dev->num_channels includes all physical channels +
> > > > timestamp channel. On other side we have an array allocated only for
> > > > physical channels. So, fix memory corruption by ARRAY_SIZE() instead of
> > > > num_channels variable.
> > > >
> > > > Fixes: 9374e8f5a38d ("iio: adc: add ADC driver for the TI TSC2046 controller")
> > > > Signed-off-by: Oleksij Rempel <o.rempel@...gutronix.de>
> > > Hi Olesij,
> > >
> > > Have you managed to make this occur, or is it inspection only?
> >
> > Yes, this bug has eaten my rx_one and tx_one pointers on probe. I wonted
> > to use this buffers for read_raw and noticed that they do not exist.
>
> I got hung up on the first case and failed to notice the second one was
> entirely different :(
>
> >
> > > I 'think' (it's been a while since I looked at the particular code) that the timestamp
> > > bit in active_scan_mask will never actually be set because we handle that as a
> > > separate flag.
> >
> > I didn't tested if active_scan_mask will trigger this issue as well, but
> > It it looked safer to me, to avoid this issue in both places. Even if on
> > of it is only theoretical.
>
> It certainly does no harm to not check a bit that is never set, so I'm fine with
> the change - just don't want to have lots of 'fixes' for this in other drivers
> adding noise and pointless backports. This one is fine because we need the
> other part of the patch anyway.
>
> Jonathan
On that note, applied to the fixes-togreg branch of iio.git and marked for stable
with a minor addition to the patch description to make
sure we don't get the first case cargo picked up by anyone who doesn't read this
thread as something to 'fix' everywhere else.
Thanks,
Jonathan
>
>
> >
> > > So it is indeed an efficiency improvement to not check that bit but I don't think
> > > it's a bug to do so. More than possible I'm missing something though!
> > >
> > > This one had me quite worried when I first read it because this is a very common
> > > pattern to see in IIO drivers.
> >
> > I was thinking about this as well, because big part of this code was
> > inspired by other drivers. But i didn't reviewed other places so far.
> >
> > Regards,
> > Oleksij
>
Powered by blists - more mailing lists