lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4ab55129-d35c-fea5-0c59-5183928d55d1@redhat.com>
Date:   Mon, 7 Aug 2023 13:28:01 +0200
From:   Hans de Goede <hdegoede@...hat.com>
To:     Jorge Lopez <jorgealtxwork@...il.com>,
        platform-driver-x86@...r.kernel.org, linux-kernel@...r.kernel.org,
        thomas@...ch.de, ilpo.jarvinen@...ux.intel.com,
        dan.carpenter@...aro.org
Subject: Re: [PATCH] hp-bioscfg: Update string length calculation

Hi Jorge,

On 8/1/23 21:16, Jorge Lopez wrote:
> Replace method how the string length is calculated.
> Removed unused variable 'size'
> 
> Signed-off-by: Jorge Lopez <jorge.lopez2@...com>

While reviewing this I have noticed that the parsing of ORD_LIST_ELEMENTS
in hp_populate_ordered_list_elements_from_package() seems to be quite buggy:

1. Normally str_value and value_len get set for string type package elements by:

                case ACPI_TYPE_STRING:
                        if (elem != PREREQUISITES && elem != ORD_LIST_ELEMENTS) {
                                ret = hp_convert_hexstr_to_str(order_obj[elem].string.pointer,
                                                               order_obj[elem].string.length,
                                                               &str_value, &value_len);
                                if (ret)
                                        continue;
                        }
                        break;

But notice how the  hp_convert_hexstr_to_str() call gets stepped when
elem == ORD_LIST_ELEMENTS .

Yes when next dealing with ORD_LIST_ELEMENTS the never updated str_value and value_len
get used:

		switch (eloc) {
		...
                case ORD_LIST_ELEMENTS:
                        /*
                         * Ordered list data is stored in hex and comma separated format
                         * Convert the data and split it to show each element
                         */
                        ret = hp_convert_hexstr_to_str(str_value, value_len, &tmpstr, &tmp_len);
                        if (ret)
                                goto exit_list;

So that does not seem right.

2. ordered_list_data->elements[0] never gets filled when there actually is a comma in
   the ordered-list, iow when there is more then 1 element:

                        part_tmp = tmpstr;
                        part = strsep(&part_tmp, COMMA_SEP);
                        if (!part)
                                strscpy(ordered_list_data->elements[0],
                                        tmpstr,
                                        sizeof(ordered_list_data->elements[0]));

                        for (elem = 1; elem < MAX_ELEMENTS_SIZE && part; elem++) {
                                strscpy(ordered_list_data->elements[elem],
                                        part,
                                        sizeof(ordered_list_data->elements[elem]));
                                part = strsep(&part_tmp, SEMICOLON_SEP);
                        }

Notice how the for starts at elem = 1, so if part is not NULL (and it is never NULL for the first call strsep will always return tmpstr) then ordered_list_data->elements[0] never gets filled.

3. ordered_list_data->elements_size is set but never validated. You should compare elem after the loop with ordered_list_data->elements_size and make sure they match. IOW verify that 0-(ordered_list_data->elements_size-1) entries of the ordered_list_data->elements[] array have been filled.

4. For specific values of eloc the code expects the current order_obj[elem] to be either an integer or a string, but this is not validated. Please validate that order_obj[elem].type matches with what is expected (string or int) for the current value of eloc.

This all makes me wonder if this specific code-path has been tested ?  Please make sure to test this specific code-path.

Regards,

Hans





> 
> ---
> Based on the latest platform-drivers-x86.git/for-next
> ---
>  drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
> index cffc1c9ba3e7..b19644ed12e0 100644
> --- a/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
> +++ b/drivers/platform/x86/hp/hp-bioscfg/order-list-attributes.c
> @@ -258,13 +258,11 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
>  				eloc++;
>  			break;
>  		case ORD_LIST_ELEMENTS:
> -			size = ordered_list_data->elements_size;
> -
>  			/*
>  			 * Ordered list data is stored in hex and comma separated format
>  			 * Convert the data and split it to show each element
>  			 */
> -			ret = hp_convert_hexstr_to_str(str_value, value_len, &tmpstr, &tmp_len);
> +			ret = hp_convert_hexstr_to_str(str_value, strlen(str_value), &tmpstr, &tmp_len);
>  			if (ret)
>  				goto exit_list;
>  
> @@ -279,7 +277,7 @@ static int hp_populate_ordered_list_elements_from_package(union acpi_object *ord
>  				strscpy(ordered_list_data->elements[olist_elem],
>  					part,
>  					sizeof(ordered_list_data->elements[olist_elem]));
> -				part = strsep(&part_tmp, SEMICOLON_SEP);
> +				part = strsep(&part_tmp, COMMA_SEP);
>  			}
>  
>  			kfree(str_value);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ