lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAMZ6RqL87RpZrH39H9c6wi5wg4=1r104oKf542oAZ2vHRke2WQ@mail.gmail.com>
Date:   Fri, 22 Jan 2021 17:51:26 +0900
From:   Vincent MAILHOL <mailhol.vincent@...adoo.fr>
To:     Su Yanjun <suyanjun218@...il.com>
Cc:     Marc Kleine-Budde <mkl@...gutronix.de>,
        manivannan.sadhasivam@...aro.org, thomas.kopp@...rochip.com,
        Wolfgang Grandegger <wg@...ndegger.com>,
        David Miller <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, lgirdwood@...il.com,
        broonie@...nel.org, linux-can <linux-can@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        open list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v1] can: mcp251xfd: Add some sysfs debug interfaces for
 registers r/w

Hi,

In addition to Marc’s comment, I also have security concerns.

On Fri. 22 Jan 2021 at 15:22, Su Yanjun <suyanjun218@...il.com> wrote:
> When i debug mcp2518fd, some method to track registers is
> needed. This easy debug interface will be ok.
>
> For example,
> read a register at 0xe00:
> echo 0xe00 > can_get_reg
> cat can_get_reg
>
> write a register at 0xe00:
> echo 0xe00,0x60 > can_set_reg

What about:
printf "A%0.s" {1..1000} > can_set_reg

Doesn’t it crash the kernel?

I see no checks of the buf len in your code and I suspect it to be
vulnerable to stack buffer overflow exploits.

> Signed-off-by: Su Yanjun <suyanjun218@...il.com>
> ---
>  .../net/can/spi/mcp251xfd/mcp251xfd-core.c    | 132 ++++++++++++++++++
>  1 file changed, 132 insertions(+)
>
> diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
> index ab8aad0a7594..d65abe5505d5 100644
> --- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
> +++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
> @@ -27,6 +27,131 @@
>
>  #define DEVICE_NAME "mcp251xfd"
>
> +/* Add sysfs debug interface for easy to debug
> + *
> + * For example,
> + *
> + * - read a register
> + * echo 0xe00 > can_get_reg
> + * cat can_get_reg
> + *
> + * - write a register
> + * echo 0xe00,0x1 > can_set_reg
> + *
> + */
> +static int reg_offset;
> +
> +static int __get_param(const char *buf, char *off, char *val)
> +{
> +       int len;
> +
> +       if (!buf || !off || !val)
> +               return -EINVAL;
> +
> +       len = 0;
> +       while (*buf != ',') {
> +               *off++ = *buf++;
> +               len++;
> +
> +               if (len >= 16)
> +                       return -EINVAL;
> +       }
> +
> +       buf++;
> +
> +       *off = '\0';
> +
> +       len = 0;
> +       while (*buf) {
> +               *val++ = *buf++;
> +               len++;
> +
> +               if (len >= 16)
> +                       return -EINVAL;
> +       }
> +
> +       *val = '\0';
> +
> +       return 0;
> +}
> +
> +static ssize_t can_get_reg_show(struct device *dev,
> +                               struct device_attribute *attr, char *buf)
> +{
> +       int err;
> +       u32 val;
> +       struct mcp251xfd_priv *priv;
> +
> +       priv = dev_get_drvdata(dev);
> +
> +       err = regmap_read(priv->map_reg, reg_offset, &val);
> +       if (err)
> +               return 0;
> +
> +       return sprintf(buf, "reg = 0x%08x, val = 0x%08x\n", reg_offset, val);
> +}
> +
> +static ssize_t can_get_reg_store(struct device *dev,
> +                                struct device_attribute *attr, const char *buf, size_t len)
> +{
> +       u32 off;
> +
> +       reg_offset = 0;
> +
> +       if (kstrtouint(buf, 0, &off) || (off % 4))
> +               return -EINVAL;
> +
> +       reg_offset = off;
> +
> +       return len;
> +}
> +
> +static ssize_t can_set_reg_show(struct device *dev,
> +                               struct device_attribute *attr, char *buf)
> +{
> +       return 0;
> +}
> +
> +static ssize_t can_set_reg_store(struct device *dev,
> +                                struct device_attribute *attr, const char *buf, size_t len)
> +{
> +       struct mcp251xfd_priv *priv;
> +       u32 off, val;
> +       int err;
> +
> +       char s1[16];
> +       char s2[16];
> +
> +       if (__get_param(buf, s1, s2))
> +               return -EINVAL;
> +
> +       if (kstrtouint(s1, 0, &off) || (off % 4))
> +               return -EINVAL;
> +
> +       if (kstrtouint(s2, 0, &val))
> +               return -EINVAL;
> +
> +       err = regmap_write(priv->map_reg, off, val);
> +       if (err)
> +               return -EINVAL;
> +
> +       return len;
> +}
> +
> +static DEVICE_ATTR_RW(can_get_reg);
> +static DEVICE_ATTR_RW(can_set_reg);
> +
> +static struct attribute *can_attributes[] = {
> +       &dev_attr_can_get_reg.attr,
> +       &dev_attr_can_set_reg.attr,
> +       NULL
> +};
> +
> +static const struct attribute_group can_group = {
> +       .attrs = can_attributes,
> +       NULL
> +};
> +
>  static const struct mcp251xfd_devtype_data mcp251xfd_devtype_data_mcp2517fd = {
>         .quirks = MCP251XFD_QUIRK_MAB_NO_WARN | MCP251XFD_QUIRK_CRC_REG |
>                 MCP251XFD_QUIRK_CRC_RX | MCP251XFD_QUIRK_CRC_TX |
> @@ -2944,6 +3069,12 @@ static int mcp251xfd_probe(struct spi_device *spi)
>         if (err)
>                 goto out_free_candev;
>
> +       err = sysfs_create_group(&spi->dev.kobj, &can_group);
> +       if (err) {
> +               netdev_err(priv->ndev, "Create can group fail.\n");
> +               goto out_free_candev;
> +       }
> +
>         err = can_rx_offload_add_manual(ndev, &priv->offload,
>                                         MCP251XFD_NAPI_WEIGHT);
>         if (err)
> @@ -2972,6 +3103,7 @@ static int mcp251xfd_remove(struct spi_device *spi)
>         mcp251xfd_unregister(priv);
>         spi->max_speed_hz = priv->spi_max_speed_hz_orig;
>         free_candev(ndev);
> +       sysfs_remove_group(&spi->dev.kobj, &can_group);
>
>         return 0;
>  }
> --
> 2.25.1
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ