| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fc480d25aabaa3923f24bbaa9b0f329f78c40abb.camel@linux.intel.com>
Date: Mon, 07 Nov 2022 10:54:08 -0800
From: "David E. Box" <david.e.box@...ux.intel.com>
To: Armin Wolf <W_Armin@....de>, hdegoede@...hat.com,
markgross@...nel.org
Cc: platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] platform/x86: dell-ddv: Improve buffer handling
On Wed, 2022-11-02 at 22:23 +0100, Armin Wolf wrote:
> When the DDV interface returns a buffer, it actually
> returns a acpi buffer containing an integer (buffer size)
> and another acpi buffer (buffer content).
> The size of the buffer may be smaller than the size of
> the buffer content, which is perfectly valid and should not
> be treated as an error.
Is there documentation for this that you can refer to?
> Also use the buffer size instead of the buffer content size
> when accessing the buffer to prevent accessing bogus data.
>
> Tested on a Dell Inspiron 3505.
>
> Signed-off-by: Armin Wolf <W_Armin@....de>
> ---
> drivers/platform/x86/dell/dell-wmi-ddv.c | 12 +++++++-----
> 1 file changed, 7 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/platform/x86/dell/dell-wmi-ddv.c
> b/drivers/platform/x86/dell/dell-wmi-ddv.c
> index 699feae3c435..1a001296e8c6 100644
> --- a/drivers/platform/x86/dell/dell-wmi-ddv.c
> +++ b/drivers/platform/x86/dell/dell-wmi-ddv.c
> @@ -129,9 +129,9 @@ static int dell_wmi_ddv_query_buffer(struct wmi_device
> *wdev, enum dell_ddv_meth
> if (obj->package.elements[1].type != ACPI_TYPE_BUFFER)
> goto err_free;
>
> - if (buffer_size != obj->package.elements[1].buffer.length) {
> + if (buffer_size > obj->package.elements[1].buffer.length) {
> dev_warn(&wdev->dev,
> - FW_WARN "ACPI buffer size (%llu) does not match WMI
> buffer size (%d)\n",
> + FW_WARN "WMI buffer size (%llu) exceeds ACPI buffer
> size (%d)\n",
> buffer_size, obj->package.elements[1].buffer.length);
>
> goto err_free;
> @@ -271,15 +271,17 @@ static int dell_wmi_ddv_buffer_read(struct seq_file
> *seq, enum dell_ddv_method m
> struct device *dev = seq->private;
> struct dell_wmi_ddv_data *data = dev_get_drvdata(dev);
> union acpi_object *obj;
> - union acpi_object buf;
> + u64 size;
> + u8 *buf;
> int ret;
>
> ret = dell_wmi_ddv_query_buffer(data->wdev, method, 0, &obj);
> if (ret < 0)
> return ret;
>
> - buf = obj->package.elements[1];
> - ret = seq_write(seq, buf.buffer.pointer, buf.buffer.length);
> + size = obj->package.elements[0].integer.value;
> + buf = obj->package.elements[1].buffer.pointer;
> + ret = seq_write(seq, buf, size);
Okay, so the buffer may provide more space than what should actually be used
according to the size field. This looks like a bug that should have a fixes tag
on the original commit.
David
> kfree(obj);
>
> return ret;
> --
> 2.30.2
>
Powered by blists - more mailing lists