lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Dec 2022 14:35:04 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: Prashanth K <quic_prashk@...cinc.com> Cc: "Gustavo A . R . Silva" <gustavoars@...nel.org>, Shuah Khan <skhan@...uxfoundation.org>, John Keeping <john@...anate.com>, Linyu Yuan <quic_linyyuan@...cinc.com>, Pratham Pratap <quic_ppratap@...cinc.com>, Vincent Pelletier <plr.vincent@...il.com>, Dan Carpenter <error27@...il.com>, Udipto Goswami <quic_ugoswami@...cinc.com>, linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org, "# 5 . 15" <stable@...r.kernel.org> Subject: Re: usb: f_fs: Fix CFI failure in ki_complete On Mon, Dec 12, 2022 at 06:54:24PM +0530, Prashanth K wrote: > Function pointer ki_complete() expects 'long' as its second > argument, but we pass integer from ffs_user_copy_worker. This > might cause a CFI failure, as ki_complete is an indirect call > with mismatched prototype. Fix this by typecasting the second > argument to long. "might"? Does it or not? If it does, why hasn't this been reported before? > Cc: <stable@...r.kernel.org> # 5.15 CFI first showed up in 6.1, not 5.15, right? > Signed-off-by: Prashanth K <quic_prashk@...cinc.com> > > --- > drivers/usb/gadget/function/f_fs.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c > index 73dc10a7..9c26561 100644 > --- a/drivers/usb/gadget/function/f_fs.c > +++ b/drivers/usb/gadget/function/f_fs.c > @@ -835,7 +835,7 @@ static void ffs_user_copy_worker(struct work_struct *work) > kthread_unuse_mm(io_data->mm); > } > > - io_data->kiocb->ki_complete(io_data->kiocb, ret); > + io_data->kiocb->ki_complete(io_data->kiocb, (long)ret); Why just fix up this one instance? What about ep_user_copy_worker()? And what about all other calls to ki_complete that are not using a (long) cast? This feels wrong, what exactly is the reported error and how come other kernel calls to this function pointer have not had a problem with CFI? ceph_aio_complete() would be another example, right? thanks, greg k-h
Powered by blists - more mailing lists