lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <8b737d87-a7e6-4a01-959e-d0b65b54eea9@roeck-us.net>
Date: Thu, 19 Jun 2025 09:54:39 -0700
From: Guenter Roeck <linux@...ck-us.net>
To: Edward Adam Davis <eadavis@...com>,
 syzbot+3bbbade4e1a7ab45ca3b@...kaller.appspotmail.com
Cc: jdelvare@...e.com, linux-hwmon@...r.kernel.org,
 linux-kernel@...r.kernel.org, mail@...iuszachmann.de,
 syzkaller-bugs@...glegroups.com
Subject: Re: [PATCH] hwmon: fill it with 0 when data size is insufficient

On 6/19/25 06:37, Edward Adam Davis wrote:
> When the data size returned by the sensor is less than IN_BUFFER_SIZE,
> it is padded with 0.
> 

The subject is missing the affected driver, and I really very much prefer
actually validating the return data instead of just assuming that it is
ok to fill the buffer with 0. So I'll take Marius' patch instead.

On a side note, please don't send patches as reply to some other e-mail.
That only asks for it to get lost.

Thanks,
Guenter


> Reported-by: syzbot+3bbbade4e1a7ab45ca3b@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3bbbade4e1a7ab45ca3b
> Signed-off-by: Edward Adam Davis <eadavis@...com>
> ---
>   drivers/hwmon/corsair-cpro.c | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/hwmon/corsair-cpro.c b/drivers/hwmon/corsair-cpro.c
> index e1a7f7aa7f80..274864e8a8e7 100644
> --- a/drivers/hwmon/corsair-cpro.c
> +++ b/drivers/hwmon/corsair-cpro.c
> @@ -157,6 +157,8 @@ static int ccp_raw_event(struct hid_device *hdev, struct hid_report *report, u8
>   	spin_lock(&ccp->wait_input_report_lock);
>   	if (!completion_done(&ccp->wait_input_report)) {
>   		memcpy(ccp->buffer, data, min(IN_BUFFER_SIZE, size));
> +		if (size < IN_BUFFER_SIZE)
> +			memset(ccp->buffer + size, 0, IN_BUFFER_SIZE - size);
>   		complete_all(&ccp->wait_input_report);
>   	}
>   	spin_unlock(&ccp->wait_input_report_lock);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ