lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87o784ac55.fsf@jubnut.com>
Date: Thu, 13 Jun 2024 20:14:14 +0100
From: Ben Walsh <ben@...nut.com>
To: Tzung-Bi Shih <tzungbi@...nel.org>
Cc: Dan Carpenter <dan.carpenter@...aro.org>, Benson Leung
 <bleung@...omium.org>, Guenter Roeck <groeck@...omium.org>,
 chrome-platform@...ts.linux.dev, linux-kernel@...r.kernel.org,
 kernel-janitors@...r.kernel.org
Subject: Re: [PATCH] platform/chrome: cros_ec_lpc: Fix error code in
 cros_ec_lpc_mec_read_bytes()

Tzung-Bi Shih <tzungbi@...nel.org> writes:

> On Thu, Jun 13, 2024 at 05:51:39PM +0100, Ben Walsh wrote:
>> 
>> Thanks for fixing this! Unfortunately `in_range` returns -EINVAL if
>> length == 0 (see the definition of `fwk_ec_lpc_mec_in_range`). I'm sure
>> this broke something in my testing, but I can't find what it was now.
>
> Somewhere like [1] could accidentally get the -EINVAL.
>
> [1]: https://elixir.bootlin.com/linux/v6.9/source/drivers/platform/chrome/cros_ec_lpc.c#L232

Yes. It turns out I'm getting it in:

cros_ec_query_all -> cros_ec_proto_info -> ... -> cros_ec_pkt_xfer_lpc

          /* Read response and update checksum */
          ret = cros_ec_lpc_ops.read(EC_LPC_ADDR_HOST_PARAM, args.data_size,
                                                             ^^^^^^^^^^^^^^^
                                     msg->data);

(as Dan suggested in his email).

>>   or 2. Put in a check for length == 0.
>> 
>>   or 3. Change the logic in `fwk_ec_lpc_mec_in_range`. Although I'm not
>>   sure what the correct answer is to "zero length is in range?"
>> 
>> I prefer option 2. What do you think?
>
> How about drop the length check at [2]?
>
> [2]: https://elixir.bootlin.com/linux/v6.9/source/drivers/platform/chrome/cros_ec_lpc_mec.c#L44
>

This works, but we still end up calling cros_ec_lpc_io_bytes_mec() with
zero length. Although this seems to work fine, we could put a length
check at the top of cros_ec_lpc_read_bytes() to avoid it.

>>
>> Dan Carpenter <dan.carpenter@...aro.org> writes:
>> 
>> > We changed these functions to returning negative error codes, but this
>> > first error path was accidentally overlooked.  It leads to a Smatch
>> > warning:
>> >
>> >     drivers/platform/chrome/cros_ec_lpc.c:181 ec_response_timed_out()
>> >     error: uninitialized symbol 'data'.
>> >
>> > Fix this by returning the error code instead of success.
>> >
>> > Fixes: 68dbac0a58ef ("platform/chrome: cros_ec_lpc: MEC access can return error code")
>> > Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
>> > ---
>> >  drivers/platform/chrome/cros_ec_lpc.c | 4 ++--
>> >  1 file changed, 2 insertions(+), 2 deletions(-)
>> >
>> > diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
>> > index ebe9fb143840..f0470248b109 100644
>> > --- a/drivers/platform/chrome/cros_ec_lpc.c
>> > +++ b/drivers/platform/chrome/cros_ec_lpc.c
>> > @@ -139,7 +139,7 @@ static int cros_ec_lpc_mec_read_bytes(unsigned int offset, unsigned int length,
>> >  	int in_range = cros_ec_lpc_mec_in_range(offset, length);
>> >  
>> >  	if (in_range < 0)
>> > -		return 0;
>> > +		return in_range;
>> >  
>> >  	return in_range ?
>> >  		cros_ec_lpc_io_bytes_mec(MEC_IO_READ,
>> > @@ -158,7 +158,7 @@ static int cros_ec_lpc_mec_write_bytes(unsigned int offset, unsigned int length,
>> >  	int in_range = cros_ec_lpc_mec_in_range(offset, length);
>> >  
>> >  	if (in_range < 0)
>> > -		return 0;
>> > +		return in_range;
>> >  
>> >  	return in_range ?
>> >  		cros_ec_lpc_io_bytes_mec(MEC_IO_WRITE,
>> > -- 
>> > 2.43.0
>> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ