| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20221016121332.4240fe60@jic23-huawei>
Date: Sun, 16 Oct 2022 12:13:32 +0100
From: Jonathan Cameron <jic23@...nel.org>
To: Matti Vaittinen <mazziesaccount@...il.com>
Cc: Matti Vaittinen <matti.vaittinen@...rohmeurope.com>,
Lars-Peter Clausen <lars@...afoo.de>,
Alexandru Ardelean <alexandru.ardelean@...log.com>,
Miquel Raynal <miquel.raynal@...tlin.com>,
Srinivas Pandruvada <srinivas.pandruvada@...ux.intel.com>,
Miaoqian Lin <linmq006@...il.com>,
Uwe Kleine-König
<u.kleine-koenig@...gutronix.de>, linux-iio@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 03/10] iio: bmc150-accel-core: Fix unsafe buffer
attributes
On Mon, 3 Oct 2022 11:11:12 +0300
Matti Vaittinen <mazziesaccount@...il.com> wrote:
> The iio_triggered_buffer_setup_ext() was changed by
> commit 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
> to silently expect that all attributes given in buffer_attrs array are
> device-attributes. This expectation was not forced by the API - and some
> drivers did register attributes created by IIO_CONST_ATTR().
>
> The added attribute "wrapping" does not copy the pointer to stored
> string constant and when the sysfs file is read the kernel will access
> to invalid location.
>
> Change the IIO_CONST_ATTRs from the driver to IIO_DEVICE_ATTR in order
> to prevent the invalid memory access.
>
> Signed-off-by: Matti Vaittinen <mazziesaccount@...il.com>
> Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
Applied to the fixes-togreg branch of iio.git and marked for stable.
Thanks,
Jonathan
>
> ---
>
> v2 => v3:
> Split change to own patch for simpler fix backporting.
> ---
> drivers/iio/accel/bmc150-accel-core.c | 23 ++++++++++++++++++-----
> 1 file changed, 18 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/iio/accel/bmc150-accel-core.c b/drivers/iio/accel/bmc150-accel-core.c
> index 57e8a8350cd1..92f8b139acce 100644
> --- a/drivers/iio/accel/bmc150-accel-core.c
> +++ b/drivers/iio/accel/bmc150-accel-core.c
> @@ -925,17 +925,30 @@ static const struct iio_chan_spec_ext_info bmc150_accel_ext_info[] = {
> { }
> };
>
> -static IIO_CONST_ATTR(hwfifo_watermark_min, "1");
> -static IIO_CONST_ATTR(hwfifo_watermark_max,
> - __stringify(BMC150_ACCEL_FIFO_LENGTH));
> +static ssize_t hwfifo_watermark_min_show(struct device *dev,
> + struct device_attribute *attr,
> + char *buf)
> +{
> + return sysfs_emit(buf, "%s\n", "1");
> +}
> +
> +static ssize_t hwfifo_watermark_max_show(struct device *dev,
> + struct device_attribute *attr,
> + char *buf)
> +{
> + return sysfs_emit(buf, "%s\n", __stringify(BMC150_ACCEL_FIFO_LENGTH));
> +}
> +
> +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_min, 0);
> +static IIO_DEVICE_ATTR_RO(hwfifo_watermark_max, 0);
> static IIO_DEVICE_ATTR(hwfifo_enabled, S_IRUGO,
> bmc150_accel_get_fifo_state, NULL, 0);
> static IIO_DEVICE_ATTR(hwfifo_watermark, S_IRUGO,
> bmc150_accel_get_fifo_watermark, NULL, 0);
>
> static const struct attribute *bmc150_accel_fifo_attributes[] = {
> - &iio_const_attr_hwfifo_watermark_min.dev_attr.attr,
> - &iio_const_attr_hwfifo_watermark_max.dev_attr.attr,
> + &iio_dev_attr_hwfifo_watermark_min.dev_attr.attr,
> + &iio_dev_attr_hwfifo_watermark_max.dev_attr.attr,
> &iio_dev_attr_hwfifo_watermark.dev_attr.attr,
> &iio_dev_attr_hwfifo_enabled.dev_attr.attr,
> NULL,
Powered by blists - more mailing lists