| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 16 Oct 2022 12:12:19 +0100
From: Jonathan Cameron <jic23@...nel.org>
To: Matti Vaittinen <mazziesaccount@...il.com>
Cc: Matti Vaittinen <matti.vaittinen@...rohmeurope.com>,
Lars-Peter Clausen <lars@...afoo.de>,
Michael Hennerich <Michael.Hennerich@...log.com>,
Cosmin Tanislav <cosmin.tanislav@...log.com>,
Alexandru Ardelean <alexandru.ardelean@...log.com>,
linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 01/10] iio: adxl367: Fix unsafe buffer attributes
On Mon, 3 Oct 2022 11:10:29 +0300
Matti Vaittinen <mazziesaccount@...il.com> wrote:
> The devm_iio_kfifo_buffer_setup_ext() was changed by
> commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
> to silently expect that all attributes given in buffer_attrs array are
> device-attributes. This expectation was not forced by the API - and some
> drivers did register attributes created by IIO_CONST_ATTR().
>
> The added attribute "wrapping" does not copy the pointer to stored
> string constant and when the sysfs file is read the kernel will access
> to invalid location.
>
> Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order
> to prevent the invalid memory access.
>
> Signed-off-by: Matti Vaittinen <mazziesaccount@...il.com>
> Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
Seems like a safe enough change to take without additional review.
Hence applied to the fixes-togreg branch of iio.git and marked
for stable.
Thanks,
Jonathan
>
> ---
>
> v2 => v3:
> Split change to own patch for simpler fix backporting.
> ---
> drivers/iio/accel/adxl367.c | 23 ++++++++++++++++++-----
> 1 file changed, 18 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iio/accel/adxl367.c b/drivers/iio/accel/adxl367.c
> index 47feb375b70b..7c7d78040793 100644
> --- a/drivers/iio/accel/adxl367.c
> +++ b/drivers/iio/accel/adxl367.c
> @@ -1185,17 +1185,30 @@ static ssize_t adxl367_get_fifo_watermark(struct device *dev,
> return sysfs_emit(buf, "%d\n", fifo_watermark);
> }
>
> -static IIO_CONST_ATTR(hwfifo_watermark_min, "1");
> -static IIO_CONST_ATTR(hwfifo_watermark_max,
> - __stringify(ADXL367_FIFO_MAX_WATERMARK));
> +static ssize_t hwfifo_watermark_min_show(struct device *dev,
> + struct device_attribute *attr,
> + char *buf)
> +{
> + return sysfs_emit(buf, "%s\n", "1");
> +}
> +
> +static ssize_t hwfifo_watermark_max_show(struct device *dev,
> + struct device_attribute *attr,
> + char *buf)
> +{
> + return sysfs_emit(buf, "%s\n", __stringify(ADXL367_FIFO_MAX_WATERMARK));
> +}
> +
> +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_min, 0);
> +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0);
> static IIO_DEVICE_ATTR(hwfifo_watermark, 0444,
> adxl367_get_fifo_watermark, NULL, 0);
> static IIO_DEVICE_ATTR(hwfifo_enabled, 0444,
> adxl367_get_fifo_enabled, NULL, 0);
>
> static const struct attribute *adxl367_fifo_attributes[] = {
> - &iio_const_attr_hwfifo_watermark_min.dev_attr.attr,
> - &iio_const_attr_hwfifo_watermark_max.dev_attr.attr,
> + &iio_dev_attr_hwfifo_watermark_min.dev_attr.attr,
> + &iio_dev_attr_hwfifo_watermark_max.dev_attr.attr,
> &iio_dev_attr_hwfifo_watermark.dev_attr.attr,
> &iio_dev_attr_hwfifo_enabled.dev_attr.attr,
> NULL,
Powered by blists - more mailing lists