lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1648182849-9209-1-git-send-email-baihaowen@meizu.com>
Date:   Fri, 25 Mar 2022 12:34:09 +0800
From:   Haowen Bai <baihaowen@...zu.com>
To:     <linux@...ck-us.net>, <heikki.krogerus@...ux.intel.com>,
        <gregkh@...uxfoundation.org>
CC:     <linux-usb@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        Haowen Bai <baihaowen@...zu.com>
Subject: [PATCH] usb: typec: tcpm: testing array offset 'port->logbuffer_head' before use

Fix possible indexing array of bound for 
port->logbuffer[port->logbuffer_head], where port->logbuffer_head boundary
 check happens later. so we do it before.

Signed-off-by: Haowen Bai <baihaowen@...zu.com>
---
 drivers/usb/typec/tcpm/tcpm.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
index 5fce795..541e9e4 100644
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -591,6 +591,14 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args)
 	unsigned long rem_nsec;
 
 	mutex_lock(&port->logbuffer_lock);
+
+	if (port->logbuffer_head < 0 ||
+	    port->logbuffer_head >= LOG_BUFFER_ENTRIES) {
+		dev_warn(port->dev,
+			 "Bad log buffer index %d\n", port->logbuffer_head);
+		goto abort;
+	}
+
 	if (!port->logbuffer[port->logbuffer_head]) {
 		port->logbuffer[port->logbuffer_head] =
 				kzalloc(LOG_BUFFER_ENTRY_SIZE, GFP_KERNEL);
@@ -607,13 +615,6 @@ static void _tcpm_log(struct tcpm_port *port, const char *fmt, va_list args)
 		strcpy(tmpbuffer, "overflow");
 	}
 
-	if (port->logbuffer_head < 0 ||
-	    port->logbuffer_head >= LOG_BUFFER_ENTRIES) {
-		dev_warn(port->dev,
-			 "Bad log buffer index %d\n", port->logbuffer_head);
-		goto abort;
-	}
-
 	if (!port->logbuffer[port->logbuffer_head]) {
 		dev_warn(port->dev,
 			 "Log buffer index %d is NULL\n", port->logbuffer_head);
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ