lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250430142522.6cf327c3@booty>
Date: Wed, 30 Apr 2025 14:25:22 +0200
From: Luca Ceresoli <luca.ceresoli@...tlin.com>
To: Romain Gantois <romain.gantois@...tlin.com>
Cc: Dan Carpenter <dan.carpenter@...aro.org>, Tomi Valkeinen
 <tomi.valkeinen@...asonboard.com>, Wolfram Sang
 <wsa+renesas@...g-engineering.com>, Andi Shyti <andi.shyti@...nel.org>,
 linux-i2c@...r.kernel.org, linux-kernel@...r.kernel.org,
 kernel-janitors@...r.kernel.org
Subject: Re: [PATCH next] i2c: Fix end of loop test in
 i2c_atr_find_mapping_by_addr()

On Thu, 24 Apr 2025 09:10:43 +0200
Romain Gantois <romain.gantois@...tlin.com> wrote:

> On Thursday, 24 April 2025 08:32:22 CEST Tomi Valkeinen wrote:
> > Hi,
> > 
> > On 23/04/2025 20:29, Dan Carpenter wrote:  
> > > On Wed, Apr 23, 2025 at 05:25:44PM +0200, Romain Gantois wrote:  
> > >> Hello Dan,
> > >> 
> > >> On Wednesday, 23 April 2025 10:21:18 CEST Dan Carpenter wrote:  
> > >>> When the list_for_each_entry_reverse() exits without hitting a break
> > >>> then the list cursor points to invalid memory.  So this check for
> > >>> if (c2a->fixed) is checking bogus memory.  Fix it by using a "found"
> > >>> variable to track if we found what we were looking for or not.  
> > >> 
> > >> IIUC the for loop ending condition in list_for_each_entry_reverse() is
> > >> "!list_entry_is_head(pos, head, member);", so even if the loop runs to
> > >> completion, the pointer should still be valid right?  
> > > 
> > > head is &chan->alias_pairs.  pos is an offset off the head.  In this
> > > case, the offset is zero.  So it's &chan->alias_pairs minus zero.
> > > 
> > > So we exit the list with c2a = (void *)&chan->alias_pairs.
> > > 
> > > If you look how struct i2c_atr_chan is declareted the next struct member
> > > 
> > > after alias_pairs is:
> > > 	struct i2c_atr_alias_pool *alias_pool;
> > > 
> > > So if (c2a->fixed) is poking around in the alias_pool pointer.  It's not
> > > out of bounds but it's not valid either.  
> > 
> > Maybe it's just me, but I had hard time following that explanation. So
> > here's mine:
> > 
> > The list head (i2c_atr_chan.alias_pairs) is not a full entry, it's just
> > a struct list_head. When the for loop runs to completion, c2a doesn't
> > point to a struct i2c_atr_alias_pair, so you can't access c2a->fixed.  
> 
> Ah I see, in that case thanks for the fix Dan!
> 
> Reviewed-by: Romain Gantois <romain.gantois@...tlin.com>

Reviewed-by: Luca Ceresoli <luca.ceresoli@...tlin.com>

-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ