lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 21 Dec 2022 07:43:00 +0100
From:   Jiri Slaby <jirislaby@...nel.org>
To:     Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>,
        Andy Gross <agross@...nel.org>,
        Bjorn Andersson <andersson@...nel.org>,
        Konrad Dybcio <konrad.dybcio@...aro.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        Satya Priya <quic_c_skakit@...cinc.com>,
        linux-arm-msm@...r.kernel.org, linux-serial@...r.kernel.org,
        linux-kernel@...r.kernel.org
Cc:     stable@...r.kernel.org
Subject: Re: [PATCH] tty: serial: qcom-geni-serial: fix slab-out-of-bounds on
 RX FIFO buffer

On 20. 12. 22, 17:15, Krzysztof Kozlowski wrote:
> Driver's probe allocates memory for RX FIFO (port->rx_fifo) based on
> default RX FIFO depth, e.g. 16.  Later during serial startup the
> qcom_geni_serial_port_setup() updates the RX FIFO depth
> (port->rx_fifo_depth) to match real device capabilities, e.g. to 32.
...
> If the RX FIFO depth changes after probe, be sure to resize the buffer.
> 
> Fixes: f9d690b6ece7 ("tty: serial: qcom_geni_serial: Allocate port->rx_fifo buffer in probe")
> Cc: <stable@...r.kernel.org>
> Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@...aro.org>

Reviewed-by: Jiri Slaby <jirislaby@...nel.org>

This patch LGTM, I only wonder:

> --- a/drivers/tty/serial/qcom_geni_serial.c
> +++ b/drivers/tty/serial/qcom_geni_serial.c
> @@ -864,9 +864,10 @@ static irqreturn_t qcom_geni_serial_isr(int isr, void *dev)
>   	return IRQ_HANDLED;
>   }
>   
> -static void get_tx_fifo_size(struct qcom_geni_serial_port *port)
> +static int get_tx_fifo_size(struct qcom_geni_serial_port *port)

... why is this function dubbed get_tx_fifo_size(), provided it handles 
rx fifo too? And it does not "get" the tx fifo size. In fact, the 
function sets that :).

>   {
>   	struct uart_port *uport;
> +	u32 old_rx_fifo_depth = port->rx_fifo_depth;
>   
>   	uport = &port->uport;
>   	port->tx_fifo_depth = geni_se_get_tx_fifo_depth(&port->se);
> @@ -874,6 +875,16 @@ static void get_tx_fifo_size(struct qcom_geni_serial_port *port)
>   	port->rx_fifo_depth = geni_se_get_rx_fifo_depth(&port->se);
>   	uport->fifosize =
>   		(port->tx_fifo_depth * port->tx_fifo_width) / BITS_PER_BYTE;
> +
> +	if (port->rx_fifo && (old_rx_fifo_depth != port->rx_fifo_depth) && port->rx_fifo_depth) {
> +		port->rx_fifo = devm_krealloc(uport->dev, port->rx_fifo,
> +					      port->rx_fifo_depth * sizeof(u32),
> +					      GFP_KERNEL);

And now it even allocates memory.

So more appropriate name should be setup_fifos() or similar.

> +		if (!port->rx_fifo)
> +			return -ENOMEM;
> +	}
> +
> +	return 0;


-- 
js
suse labs

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ