lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221016121219.4114cab2@jic23-huawei>
Date:   Sun, 16 Oct 2022 12:12:19 +0100
From:   Jonathan Cameron <jic23@...nel.org>
To:     Matti Vaittinen <mazziesaccount@...il.com>
Cc:     Matti Vaittinen <matti.vaittinen@...rohmeurope.com>,
        Lars-Peter Clausen <lars@...afoo.de>,
        Michael Hennerich <Michael.Hennerich@...log.com>,
        Cosmin Tanislav <cosmin.tanislav@...log.com>,
        Alexandru Ardelean <alexandru.ardelean@...log.com>,
        linux-iio@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 01/10] iio: adxl367: Fix unsafe buffer attributes

On Mon, 3 Oct 2022 11:10:29 +0300
Matti Vaittinen <mazziesaccount@...il.com> wrote:

> The devm_iio_kfifo_buffer_setup_ext() was changed by
> commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
> to silently expect that all attributes given in buffer_attrs array are
> device-attributes. This expectation was not forced by the API - and some
> drivers did register attributes created by IIO_CONST_ATTR().
> 
> The added attribute "wrapping" does not copy the pointer to stored
> string constant and when the sysfs file is read the kernel will access
> to invalid location.
> 
> Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order
> to prevent the invalid memory access.
> 
> Signed-off-by: Matti Vaittinen <mazziesaccount@...il.com>
> Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")

Seems like a safe enough change to take without additional review.
Hence applied to the fixes-togreg branch of iio.git and marked
for stable.

Thanks,

Jonathan

> 
> ---
> 
> v2 => v3:
> Split change to own patch for simpler fix backporting.
> ---
>  drivers/iio/accel/adxl367.c | 23 ++++++++++++++++++-----
>  1 file changed, 18 insertions(+), 5 deletions(-)
> 
> diff --git a/drivers/iio/accel/adxl367.c b/drivers/iio/accel/adxl367.c
> index 47feb375b70b..7c7d78040793 100644
> --- a/drivers/iio/accel/adxl367.c
> +++ b/drivers/iio/accel/adxl367.c
> @@ -1185,17 +1185,30 @@ static ssize_t adxl367_get_fifo_watermark(struct device *dev,
>  	return sysfs_emit(buf, "%d\n", fifo_watermark);
>  }
>  
> -static IIO_CONST_ATTR(hwfifo_watermark_min, "1");
> -static IIO_CONST_ATTR(hwfifo_watermark_max,
> -		      __stringify(ADXL367_FIFO_MAX_WATERMARK));
> +static ssize_t hwfifo_watermark_min_show(struct device *dev,
> +					 struct device_attribute *attr,
> +					 char *buf)
> +{
> +	return sysfs_emit(buf, "%s\n", "1");
> +}
> +
> +static ssize_t hwfifo_watermark_max_show(struct device *dev,
> +					 struct device_attribute *attr,
> +					 char *buf)
> +{
> +	return sysfs_emit(buf, "%s\n", __stringify(ADXL367_FIFO_MAX_WATERMARK));
> +}
> +
> +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_min, 0);
> +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0);
>  static IIO_DEVICE_ATTR(hwfifo_watermark, 0444,
>  		       adxl367_get_fifo_watermark, NULL, 0);
>  static IIO_DEVICE_ATTR(hwfifo_enabled, 0444,
>  		       adxl367_get_fifo_enabled, NULL, 0);
>  
>  static const struct attribute *adxl367_fifo_attributes[] = {
> -	&iio_const_attr_hwfifo_watermark_min.dev_attr.attr,
> -	&iio_const_attr_hwfifo_watermark_max.dev_attr.attr,
> +	&iio_dev_attr_hwfifo_watermark_min.dev_attr.attr,
> +	&iio_dev_attr_hwfifo_watermark_max.dev_attr.attr,
>  	&iio_dev_attr_hwfifo_watermark.dev_attr.attr,
>  	&iio_dev_attr_hwfifo_enabled.dev_attr.attr,
>  	NULL,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ