lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ZArha1XDXWV1QVIz@kroah.com>
Date:   Fri, 10 Mar 2023 08:51:07 +0100
From:   Greg KH <gregkh@...uxfoundation.org>
To:     Xujun Leng <lengxujun2007@....com>
Cc:     linux-kernel@...r.kernel.org, rafael@...nel.org
Subject: Re: [PATCH] driver core: platform: added arguments check for
 platform_device_add_resources()

On Fri, Mar 10, 2023 at 02:55:46PM +0800, Xujun Leng wrote:
> > On Tue, Mar 07, 2023 at 01:01:16PM +0800, Xujun Leng wrote:
> > > In the follow two cases, platform_device_add_resources() can lead an
> > > invalid address access:
> > > 1) If (!res && num > 0), pdev->resource will be set to NULL but
> > >    pdev->num_resources > 0, then a later platform_get_resource() will
> > >    cause invalid address access.
> > > 2) If (res && num == 0), because num == 0 cause kmalloc_slab() returns
> > >    ZERO_SIZE_PTR, then kmemdup() will copy data to the invalid address
> > >    ZERO_SIZE_PTR.
> > > 
> > > Signed-off-by: Xujun Leng <lengxujun2007@....com>
> > > ---
> > >  drivers/base/platform.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/drivers/base/platform.c b/drivers/base/platform.c
> > > index 77510e4f47de..a060941c3076 100644
> > > --- a/drivers/base/platform.c
> > > +++ b/drivers/base/platform.c
> > > @@ -606,6 +606,9 @@ int platform_device_add_resources(struct platform_device *pdev,
> > >  {
> > >  	struct resource *r = NULL;
> > >  
> > > +	if ((!res && num > 0) || (res && num == 0))
> > > +		return -EINVAL;
> > 
> > What driver is causing this check to fail today?  Shouldn't that be
> > fixed instead?
> 
> Ok, I got it. It's the caller's responsibility to take care about that.

Maybe, I don't know, which is why I am asking what driver is triggering
this kind of failure.  Can you point me at one that causes this so we
can see if this is something that a driver should be catching before it
calls this, or if it is something that this core function should catch
instead?

thanks,

greg k-h

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ