lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <9cd0c3cc-9f3c-4a3e-9080-c832def8f317@ideasonboard.com>
Date: Thu, 24 Apr 2025 09:32:22 +0300
From: Tomi Valkeinen <tomi.valkeinen@...asonboard.com>
To: Dan Carpenter <dan.carpenter@...aro.org>,
 Romain Gantois <romain.gantois@...tlin.com>
Cc: Luca Ceresoli <luca.ceresoli@...tlin.com>,
 Wolfram Sang <wsa+renesas@...g-engineering.com>,
 Andi Shyti <andi.shyti@...nel.org>, linux-i2c@...r.kernel.org,
 linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH next] i2c: Fix end of loop test in
 i2c_atr_find_mapping_by_addr()

Hi,

On 23/04/2025 20:29, Dan Carpenter wrote:
> On Wed, Apr 23, 2025 at 05:25:44PM +0200, Romain Gantois wrote:
>> Hello Dan,
>>
>> On Wednesday, 23 April 2025 10:21:18 CEST Dan Carpenter wrote:
>>> When the list_for_each_entry_reverse() exits without hitting a break
>>> then the list cursor points to invalid memory.  So this check for
>>> if (c2a->fixed) is checking bogus memory.  Fix it by using a "found"
>>> variable to track if we found what we were looking for or not.
>>
>> IIUC the for loop ending condition in list_for_each_entry_reverse() is
>> "!list_entry_is_head(pos, head, member);", so even if the loop runs to
>> completion, the pointer should still be valid right?
>>
> 
> head is &chan->alias_pairs.  pos is an offset off the head.  In this
> case, the offset is zero.  So it's &chan->alias_pairs minus zero.
> 
> So we exit the list with c2a = (void *)&chan->alias_pairs.
> 
> If you look how struct i2c_atr_chan is declareted the next struct member
> after alias_pairs is:
> 
> 	struct i2c_atr_alias_pool *alias_pool;
> 
> So if (c2a->fixed) is poking around in the alias_pool pointer.  It's not
> out of bounds but it's not valid either.

Maybe it's just me, but I had hard time following that explanation. So 
here's mine:

The list head (i2c_atr_chan.alias_pairs) is not a full entry, it's just 
a struct list_head. When the for loop runs to completion, c2a doesn't 
point to a struct i2c_atr_alias_pair, so you can't access c2a->fixed.

For the patch:

Reviewed-by: Tomi Valkeinen <tomi.valkeinen@...asonboard.com>

  Tomi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ