| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <45684212-92ce-e771-08d8-c405a196a4fc@nebelwelt.net>
Date: Sun, 9 Dec 2018 21:02:25 +0100
From: Mathias Payer <mathias.payer@...elwelt.net>
To: David Miller <davem@...emloft.net>, gregkh@...uxfoundation.org
Cc: netdev@...r.kernel.org, linux-usb@...r.kernel.org,
bigeasy@...utronix.de, benquike@...il.com
Subject: Re: [PATCH] USB: hso: Fix OOB memory access in
hso_probe/hso_get_config_data
Hi David,
>> + } else {
>> port_spec = hso_get_config_data(interface);
>> + if (IS_ERR_VALUE((long)port_spec))
>> + goto exit;
>
> 'port_spec' is an 'int', it makes no sense to cast it 3 times all the
> way back to 'int' to figure out if it is a negative error value or
> not. (--> long --> void * --> int)
>
Passing an int to the macro results in a compiler warning. One option would be
to test for the individual errors (instead of using the macro) with the drawback
that future extensions that return different errors may be missed. Another
alternative is to test for negative values with the drawback that this bypasses
the existing test macros.
Also, the macro does not cast back to int but unsigned long:
https://elixir.bootlin.com/linux/v4.20-rc5/source/include/linux/err.h#L22
#define IS_ERR_VALUE(x) unlikely((unsigned long)(void *)(x) >= (unsigned
long)-MAX_ERRNO)
The cast chain is int -> long -> void * -> unsigned long.
What other check would you propose?
Thanks,
Mathias
Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)
Powered by blists - more mailing lists