| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <f2e89d3a-f6ad-6fdc-1bd1-eb38f5a8f569@wanadoo.fr>
Date: Sat, 25 Jun 2022 08:37:49 +0200
From: Christophe JAILLET <christophe.jaillet@...adoo.fr>
To: fabrice.gasnier@...s.st.com
Cc: alexandre.torgue@...s.st.com, amelie.delaunay@...s.st.com,
devicetree@...r.kernel.org, gregkh@...uxfoundation.org,
heikki.krogerus@...ux.intel.com, krzysztof.kozlowski+dt@...aro.org,
linux-kernel@...r.kernel.org,
linux-stm32@...md-mailman.stormreply.com,
linux-usb@...r.kernel.org, robh+dt@...nel.org
Subject: Re: [PATCH 2/4] usb: typec: ucsi: stm32g0: add support for stm32g0
i2c controller
Le 24/06/2022 à 17:54, Fabrice Gasnier a écrit :
> STM32G0 provides an integrated USB Type-C and power delivery interface.
> It can be programmed with a firmware to handle UCSI protocol over I2C
> interface. A GPIO is used as an interrupt line.
>
> Signed-off-by: Fabrice Gasnier <fabrice.gasnier-rj0Iel/JR4NBDgjK7y7TUQ@...lic.gmane.org>
> ---
> drivers/usb/typec/ucsi/Kconfig | 10 ++
> drivers/usb/typec/ucsi/Makefile | 1 +
> drivers/usb/typec/ucsi/ucsi_stm32g0.c | 218 ++++++++++++++++++++++++++
> 3 files changed, 229 insertions(+)
> create mode 100644 drivers/usb/typec/ucsi/ucsi_stm32g0.c
>
[...]
> +static int ucsi_stm32g0_async_write(struct ucsi *ucsi, unsigned int offset, const void *val,
> + size_t len)
> +{
> + struct ucsi_stm32g0 *g0 = ucsi_get_drvdata(ucsi);
> + struct i2c_client *client = g0->client;
> + struct i2c_msg msg[] = {
> + {
> + .addr = client->addr,
> + .flags = 0,
> + }
> + };
> + unsigned char *buf;
> + int ret;
> +
> + buf = kzalloc(len + 1, GFP_KERNEL);
Hi,
Nit: kmalloc() would be enough here, the whole buffer is written just a
few lines after.
> + if (!buf)
> + return -ENOMEM;
> +
> + buf[0] = offset;
> + memcpy(&buf[1], val, len);
> + msg[0].len = len + 1;
> + msg[0].buf = buf;
> +
> + ret = i2c_transfer(client->adapter, msg, ARRAY_SIZE(msg));
> + kfree(buf);
> + if (ret != ARRAY_SIZE(msg)) {
> + dev_err(g0->dev, "i2c write %02x, %02x error: %d\n", client->addr, buf[0], ret);
Use-after-free of buf.
> +
> + return ret < 0 ? ret : -EIO;
> + }
> +
> + return 0;
> +}
> +
Just my 2c,
CJ
[...]
Powered by blists - more mailing lists