| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CACMJSevsbXeVV8t=nZ1L_ZCefuaU0Ew5=VFcSWTSHpMj_Bo92A@mail.gmail.com> Date: Mon, 7 Oct 2024 16:23:26 +0200 From: Bartosz Golaszewski <bartosz.golaszewski@...aro.org> To: Bjorn Andersson <andersson@...nel.org> Cc: Kuldeep Singh <quic_kuldsing@...cinc.com>, Konrad Dybcio <konradybcio@...nel.org>, linux-arm-msm@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] firmware: qcom: qcom_tzmem: Implement sanity checks On Mon, 7 Oct 2024 at 03:18, Bjorn Andersson <andersson@...nel.org> wrote: > > On Sat, Oct 05, 2024 at 07:31:50PM GMT, Kuldeep Singh wrote: > > The qcom_tzmem driver currently has multiple exposed APIs that lack > > validations on input parameters. This oversight can lead to unexpected > > crashes due to null pointer dereference when incorrect inputs are > > provided. > > > > To address this issue, add required sanity for all input parameters in > > the exposed APIs. > > > > Unless there's good reason for the opposite, I rather see that we define > the API to only accept valid pointers. Then if a client passes a NULL we > get a oops with a nice callstack, which is easy to debug. > > The alternative is that we return -EINVAL, which not unlikely is > propagated to some application which may or may not result in a bug > report from a user - without any tangible information about where things > went wrong. Agreed, I don't think this is a good pattern in a kernel API (as opposed to user-space interfaces where we validate everything). We expect a certain level of sanity from in-kernel users. Bart
Powered by blists - more mailing lists