lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20220116115821.1d58b437@jic23-huawei>
Date:   Sun, 16 Jan 2022 11:58:21 +0000
From:   Jonathan Cameron <jic23@...nel.org>
To:     Oleksij Rempel <o.rempel@...gutronix.de>
Cc:     devicetree@...r.kernel.org, Lars-Peter Clausen <lars@...afoo.de>,
        linux-iio@...r.kernel.org,
        Robin van der Gracht <robin@...tonic.nl>,
        linux-kernel@...r.kernel.org,
        Pengutronix Kernel Team <kernel@...gutronix.de>,
        David Jander <david@...tonic.nl>
Subject: Re: [PATCH v1 1/1] iio: adc: tsc2046: fix memory corruption by
 preventing array overflow

On Sat, 15 Jan 2022 18:16:59 +0000
Jonathan Cameron <jic23@...nel.org> wrote:

> On Mon, 10 Jan 2022 08:19:45 +0100
> Oleksij Rempel <o.rempel@...gutronix.de> wrote:
> 
> > Hi Jonathan,
> > 
> > On Sun, Jan 09, 2022 at 03:25:57PM +0000, Jonathan Cameron wrote:  
> > > On Fri,  7 Jan 2022 09:14:01 +0100
> > > Oleksij Rempel <o.rempel@...gutronix.de> wrote:
> > >     
> > > > On one side we have indio_dev->num_channels includes all physical channels +
> > > > timestamp channel. On other side we have an array allocated only for
> > > > physical channels. So, fix memory corruption by ARRAY_SIZE() instead of
> > > > num_channels variable.
> > > > 
> > > > Fixes: 9374e8f5a38d ("iio: adc: add ADC driver for the TI TSC2046 controller")
> > > > Signed-off-by: Oleksij Rempel <o.rempel@...gutronix.de>    
> > > Hi Olesij,
> > > 
> > > Have you managed to make this occur, or is it inspection only?    
> > 
> > Yes, this bug has eaten my rx_one and tx_one pointers on probe. I wonted
> > to use this buffers for read_raw and noticed that they do not exist.  
> 
> I got hung up on the first case and failed to notice the second one was
> entirely different :(
> 
> >   
> > > I 'think' (it's been a while since I looked at the particular code) that the timestamp
> > > bit in active_scan_mask will never actually be set because we handle that as a
> > > separate flag.    
> > 
> > I didn't tested if active_scan_mask will trigger this issue as well, but
> > It it looked safer to me, to avoid this issue in both places. Even if on
> > of it is only theoretical.  
> 
> It certainly does no harm to not check a bit that is never set, so I'm fine with
> the change - just don't want to have lots of 'fixes' for this in other drivers
> adding noise and pointless backports.  This one is fine because we need the
> other part of the patch anyway.
> 
> Jonathan

On that note, applied to the fixes-togreg branch of iio.git and marked for stable
with a minor addition to the patch description to make
sure we don't get the first case cargo picked up by anyone who doesn't read this
thread as something to 'fix' everywhere else.

Thanks,

Jonathan

> 
> 
> >   
> > > So it is indeed an efficiency improvement to not check that bit but I don't think
> > > it's a bug to do so.  More than possible I'm missing something though!
> > > 
> > > This one had me quite worried when I first read it because this is a very common
> > > pattern to see in IIO drivers.    
> > 
> > I was thinking about this as well, because big part of this code was
> > inspired by other drivers. But i didn't reviewed other places so far.
> > 
> > Regards,
> > Oleksij  
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ