lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180830075421.czsb5pa5b2vygp2m@mwanda> Date: Thu, 30 Aug 2018 10:54:21 +0300 From: Dan Carpenter <dan.carpenter@...cle.com> To: Xue Liu <liuxuenetmail@...il.com> Cc: "alex. aring" <alex.aring@...il.com>, Stefan Schmidt <stefan@...enfreihafen.org>, "David S. Miller" <davem@...emloft.net>, linux-wpan - ML <linux-wpan@...r.kernel.org>, netdev@...r.kernel.org, kernel-janitors@...r.kernel.org Subject: Re: [PATCH] ieee802154: mcr20a: read out of bounds in mcr20a_set_channel() On Wed, Aug 29, 2018 at 07:50:51PM +0200, Xue Liu wrote: > Hello Dan, > > > On Wed, 29 Aug 2018 at 16:49, Dan Carpenter <dan.carpenter@...cle.com> > wrote: > > > The "channel" variable can be any u8 value. We need to make sure we > > don't read outside of the PLL_INT[] or PLL_FRAC[] arrays. > > > I think the “channel” variable can not be any u8 value. This values is > already checked before set_channel function is called. > https://github.com/torvalds/linux/blob/master/net/ieee802154/nl802154.c#L978 Oh... Hm... I should have reviewed more carefully. This patch isn't correct. But there may still be a bug. What Smatch is worried about is the other call tree: ieee802154_start_req() calls (struct ieee802154_mlme_ops)->start_req -> mac802154_mlme_start_req() -> mac802154_dev_set_page_channel() -> drv_set_channel() calls local->ops->set_channel(&local->hw, page, channel); -> mcr20a_set_channel() So maybe we could move the check from nl802154_set_channel() to drv_set_channel() so channel is checked on both call trees. regards, dan carpenter
Powered by blists - more mailing lists