lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 20 Jul 2023 11:36:29 +0300
From:   Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
To:     Barnabás Pőcze <pobrn@...tonmail.com>
Cc:     linux-kernel@...r.kernel.org, platform-driver-x86@...r.kernel.org,
        Mark Gross <markgross@...nel.org>,
        Hans de Goede <hdegoede@...hat.com>,
        Armin Wolf <W_Armin@....de>
Subject: Re: [RFC PATCH v1] platform/x86: wmi: Do not register driver with
 invalid GUID

On Wed, Jul 19, 2023 at 07:23:37PM +0000, Barnabás Pőcze wrote:
> 2023. július 17., hétfő 13:31 keltezéssel, Andy Shevchenko írta:
> > On Mon, Jul 17, 2023 at 11:23:50AM +0000, Barnabás Pőcze wrote:
> > > 2023. július 17., hétfő 11:49 keltezéssel, Andy Shevchenko <andriy.shevchenko@...ux.intel.com> írta:
> > > On Sat, Jul 15, 2023 at 09:24:16PM +0000, Barnabás Pőcze wrote:

...

> > > > Besides using wrong API (uuid_*() vs. guid_*() one), I don't
> > >
> > > As far as I can see `guid_parse()` also uses `uuid_is_valid()`, the format is the same.
> > 
> > Then add guid_is_valid() to complete the API. Perhaps with the renaming the
> > common part to something else.
> 
> But that would be the exact same function. GUIDs are UUIDs, aren't they?

Yes and no. If we want to validate the respective bit for GUID vs. UUID, they
will be different. Currently they are the same as validation is relaxed in the
kernel.

> > > > think we need to validate it here. Why not in file2alias.c?
> > > > [...]
> > >
> > > 1) that seems like a more complicated change (duplicating `uuid_is_valid()`?);
> > > 2) that will only check the GUIDs specified by `MODULE_DEVICE_TABLE()`.
> > >
> > > Arguably the second point is not that significant since most users will indeed
> > > use `MODULE_DEVICE_TABLE()`. But I think the first point has some merit. And
> > > furthermore, I think this check should be here regardless of whether file2alias.c
> > > also contains an equivalent/similar check.
> > 
> > Why do we need it? We never match against wrong GUID from ACPI, since it would
> > be very weird ACPI table.
> > [...]
> 
> The point is to catch typos in drivers' WMI ID tables.

Yes, that's what file2alias is for. We trust modules we build, right?
If you don't trust, then we have much bigger problem than this patch
tries to address.

-- 
With Best Regards,
Andy Shevchenko

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ