* [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks
@ 2019-08-21 7:06 Dan Carpenter
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
` (4 more replies)
0 siblings, 5 replies; 15+ messages in thread
From: Dan Carpenter @ 2019-08-21 7:06 UTC (permalink / raw)
To: Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
These structs have holes in them so we end up disclosing a few bytes of
uninitialized stack data.
drivers/misc/xilinx_sdfec.c:305 xsdfec_get_status() warn: check that 'status' doesn't leak information (struct has a hole after 'activity')
drivers/misc/xilinx_sdfec.c:449 xsdfec_get_turbo() warn: check that 'turbo_params' doesn't leak information (struct has a hole after 'scale')
We need to zero out the holes with memset().
Fixes: 6bd6a690c2e7 ("misc: xilinx_sdfec: Add stats & status ioctls")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/misc/xilinx_sdfec.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
index 912e939dec62..dc1b8b412712 100644
--- a/drivers/misc/xilinx_sdfec.c
+++ b/drivers/misc/xilinx_sdfec.c
@@ -295,6 +295,7 @@ static int xsdfec_get_status(struct xsdfec_dev *xsdfec, void __user *arg)
struct xsdfec_status status;
int err;
+ memset(&status, 0, sizeof(status));
spin_lock_irqsave(&xsdfec->error_data_lock, xsdfec->flags);
status.state = xsdfec->state;
xsdfec->state_updated = false;
@@ -440,6 +441,7 @@ static int xsdfec_get_turbo(struct xsdfec_dev *xsdfec, void __user *arg)
if (xsdfec->config.code == XSDFEC_LDPC_CODE)
return -EIO;
+ memset(&turbo_params, 0, sizeof(turbo_params));
reg_value = xsdfec_regread(xsdfec, XSDFEC_TURBO_ADDR);
turbo_params.scale = (reg_value & XSDFEC_TURBO_SCALE_MASK) >>
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails
2019-08-21 7:06 [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Dan Carpenter
@ 2019-08-21 7:07 ` Dan Carpenter
2019-08-22 8:16 ` Michal Simek
` (2 more replies)
2019-08-21 7:09 ` [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write() Dan Carpenter
` (3 subsequent siblings)
4 siblings, 3 replies; 15+ messages in thread
From: Dan Carpenter @ 2019-08-21 7:07 UTC (permalink / raw)
To: Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
The copy_from_user() funciton returns the number of bytes remaining to
be copied but we want to return -EFAULT to the user.
Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/misc/xilinx_sdfec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
index dc1b8b412712..813b82c59360 100644
--- a/drivers/misc/xilinx_sdfec.c
+++ b/drivers/misc/xilinx_sdfec.c
@@ -651,9 +651,10 @@ static int xsdfec_add_ldpc(struct xsdfec_dev *xsdfec, void __user *arg)
if (!ldpc)
return -ENOMEM;
- ret = copy_from_user(ldpc, arg, sizeof(*ldpc));
- if (ret)
+ if (copy_from_user(ldpc, arg, sizeof(*ldpc))) {
+ ret = -EFAULT;
goto err_out;
+ }
if (xsdfec->config.code == XSDFEC_TURBO_CODE) {
ret = -EIO;
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write()
2019-08-21 7:06 [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Dan Carpenter
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
@ 2019-08-21 7:09 ` Dan Carpenter
2019-08-22 8:18 ` Michal Simek
2019-08-23 8:23 ` Dragan Cvetic
2019-08-21 7:11 ` [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() Dan Carpenter
` (2 subsequent siblings)
4 siblings, 2 replies; 15+ messages in thread
From: Dan Carpenter @ 2019-08-21 7:09 UTC (permalink / raw)
To: Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
The "psize" value comes from the user so we need to verify that it's
non-zero before we check if "n % psize" or it will crash.
Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
The parentheses in this condition are a no-op. They're just confusing.
Perhaps something else was intended?
drivers/misc/xilinx_sdfec.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
index 813b82c59360..3fc53d20abf3 100644
--- a/drivers/misc/xilinx_sdfec.c
+++ b/drivers/misc/xilinx_sdfec.c
@@ -460,7 +460,7 @@ static int xsdfec_reg0_write(struct xsdfec_dev *xsdfec, u32 n, u32 k, u32 psize,
{
u32 wdata;
- if (n < XSDFEC_REG0_N_MIN || n > XSDFEC_REG0_N_MAX ||
+ if (n < XSDFEC_REG0_N_MIN || n > XSDFEC_REG0_N_MAX || psize == 0 ||
(n > XSDFEC_REG0_N_MUL_P * psize) || n <= k || ((n % psize) != 0)) {
dev_dbg(xsdfec->dev, "N value is not in range");
return -EINVAL;
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write()
2019-08-21 7:06 [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Dan Carpenter
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
2019-08-21 7:09 ` [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write() Dan Carpenter
@ 2019-08-21 7:11 ` Dan Carpenter
2019-08-22 8:27 ` Michal Simek
2019-08-22 17:55 ` Dragan Cvetic
2019-08-22 8:14 ` [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Michal Simek
2019-08-22 17:47 ` Dragan Cvetic
4 siblings, 2 replies; 15+ messages in thread
From: Dan Carpenter @ 2019-08-21 7:11 UTC (permalink / raw)
To: Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
The checking here needs to handle integer overflows because "offset" and
"len" come from the user.
Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/misc/xilinx_sdfec.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
index 3fc53d20abf3..0bf3bcc8e1ef 100644
--- a/drivers/misc/xilinx_sdfec.c
+++ b/drivers/misc/xilinx_sdfec.c
@@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset,
* Writes that go beyond the length of
* Shared Scale(SC) table should fail
*/
- if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) {
+ if (offset > depth / XSDFEC_REG_WIDTH_JUMP ||
+ len > depth / XSDFEC_REG_WIDTH_JUMP ||
+ offset + len > depth / XSDFEC_REG_WIDTH_JUMP) {
dev_dbg(xsdfec->dev, "Write exceeds SC table length");
return -EINVAL;
}
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks
2019-08-21 7:06 [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Dan Carpenter
` (2 preceding siblings ...)
2019-08-21 7:11 ` [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() Dan Carpenter
@ 2019-08-22 8:14 ` Michal Simek
2019-08-22 8:28 ` Dan Carpenter
2019-08-22 17:47 ` Dragan Cvetic
4 siblings, 1 reply; 15+ messages in thread
From: Michal Simek @ 2019-08-22 8:14 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
Hi Dan,
On 21. 08. 19 9:06, Dan Carpenter wrote:
> These structs have holes in them so we end up disclosing a few bytes of
> uninitialized stack data.
>
> drivers/misc/xilinx_sdfec.c:305 xsdfec_get_status() warn: check that 'status' doesn't leak information (struct has a hole after 'activity')
> drivers/misc/xilinx_sdfec.c:449 xsdfec_get_turbo() warn: check that 'turbo_params' doesn't leak information (struct has a hole after 'scale')
Who is generating these warnings? Is this any new GCC or different tool?
I see that 3byte padding but never seen these warnings.
> We need to zero out the holes with memset().
>
> Fixes: 6bd6a690c2e7 ("misc: xilinx_sdfec: Add stats & status ioctls")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/misc/xilinx_sdfec.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 912e939dec62..dc1b8b412712 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -295,6 +295,7 @@ static int xsdfec_get_status(struct xsdfec_dev *xsdfec, void __user *arg)
> struct xsdfec_status status;
> int err;
>
> + memset(&status, 0, sizeof(status));
> spin_lock_irqsave(&xsdfec->error_data_lock, xsdfec->flags);
> status.state = xsdfec->state;
> xsdfec->state_updated = false;
> @@ -440,6 +441,7 @@ static int xsdfec_get_turbo(struct xsdfec_dev *xsdfec, void __user *arg)
> if (xsdfec->config.code == XSDFEC_LDPC_CODE)
> return -EIO;
>
> + memset(&turbo_params, 0, sizeof(turbo_params));
> reg_value = xsdfec_regread(xsdfec, XSDFEC_TURBO_ADDR);
>
> turbo_params.scale = (reg_value & XSDFEC_TURBO_SCALE_MASK) >>
>
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
Thanks,
Michal
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
@ 2019-08-22 8:16 ` Michal Simek
2019-08-22 8:31 ` [PATCH 2/4 v2] " Dan Carpenter
2019-08-22 17:47 ` [PATCH 2/4] " Dragan Cvetic
2 siblings, 0 replies; 15+ messages in thread
From: Michal Simek @ 2019-08-22 8:16 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
On 21. 08. 19 9:07, Dan Carpenter wrote:
> The copy_from_user() funciton returns the number of bytes remaining to
typo here.
> be copied but we want to return -EFAULT to the user.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/misc/xilinx_sdfec.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index dc1b8b412712..813b82c59360 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -651,9 +651,10 @@ static int xsdfec_add_ldpc(struct xsdfec_dev *xsdfec, void __user *arg)
> if (!ldpc)
> return -ENOMEM;
>
> - ret = copy_from_user(ldpc, arg, sizeof(*ldpc));
> - if (ret)
> + if (copy_from_user(ldpc, arg, sizeof(*ldpc))) {
> + ret = -EFAULT;
> goto err_out;
> + }
>
> if (xsdfec->config.code == XSDFEC_TURBO_CODE) {
> ret = -EIO;
>
When typo fixed feel free to add my
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
Thanks,
Michal
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write()
2019-08-21 7:09 ` [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write() Dan Carpenter
@ 2019-08-22 8:18 ` Michal Simek
2019-08-23 8:23 ` Dragan Cvetic
1 sibling, 0 replies; 15+ messages in thread
From: Michal Simek @ 2019-08-22 8:18 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
On 21. 08. 19 9:09, Dan Carpenter wrote:
> The "psize" value comes from the user so we need to verify that it's
> non-zero before we check if "n % psize" or it will crash.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> The parentheses in this condition are a no-op. They're just confusing.
> Perhaps something else was intended?
>
> drivers/misc/xilinx_sdfec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 813b82c59360..3fc53d20abf3 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -460,7 +460,7 @@ static int xsdfec_reg0_write(struct xsdfec_dev *xsdfec, u32 n, u32 k, u32 psize,
> {
> u32 wdata;
>
> - if (n < XSDFEC_REG0_N_MIN || n > XSDFEC_REG0_N_MAX ||
> + if (n < XSDFEC_REG0_N_MIN || n > XSDFEC_REG0_N_MAX || psize == 0 ||
> (n > XSDFEC_REG0_N_MUL_P * psize) || n <= k || ((n % psize) != 0)) {
> dev_dbg(xsdfec->dev, "N value is not in range");
> return -EINVAL;
>
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
Thanks,
Michal
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write()
2019-08-21 7:11 ` [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() Dan Carpenter
@ 2019-08-22 8:27 ` Michal Simek
2019-08-22 17:55 ` Dragan Cvetic
1 sibling, 0 replies; 15+ messages in thread
From: Michal Simek @ 2019-08-22 8:27 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
On 21. 08. 19 9:11, Dan Carpenter wrote:
> The checking here needs to handle integer overflows because "offset" and
> "len" come from the user.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/misc/xilinx_sdfec.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 3fc53d20abf3..0bf3bcc8e1ef 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset,
> * Writes that go beyond the length of
> * Shared Scale(SC) table should fail
> */
> - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) {
> + if (offset > depth / XSDFEC_REG_WIDTH_JUMP ||
> + len > depth / XSDFEC_REG_WIDTH_JUMP ||
> + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) {
> dev_dbg(xsdfec->dev, "Write exceeds SC table length");
> return -EINVAL;
> }
>
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
Thanks,
Michal
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks
2019-08-22 8:14 ` [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Michal Simek
@ 2019-08-22 8:28 ` Dan Carpenter
2019-08-22 8:49 ` Michal Simek
0 siblings, 1 reply; 15+ messages in thread
From: Dan Carpenter @ 2019-08-22 8:28 UTC (permalink / raw)
To: Michal Simek
Cc: Arnd Bergmann, Greg Kroah-Hartman, Dragan Cvetic,
kernel-janitors, linux-kernel, Derek Kiernan, linux-arm-kernel
On Thu, Aug 22, 2019 at 10:14:12AM +0200, Michal Simek wrote:
> Hi Dan,
>
> On 21. 08. 19 9:06, Dan Carpenter wrote:
> > These structs have holes in them so we end up disclosing a few bytes of
> > uninitialized stack data.
> >
> > drivers/misc/xilinx_sdfec.c:305 xsdfec_get_status() warn: check that 'status' doesn't leak information (struct has a hole after 'activity')
> > drivers/misc/xilinx_sdfec.c:449 xsdfec_get_turbo() warn: check that 'turbo_params' doesn't leak information (struct has a hole after 'scale')
>
> Who is generating these warnings? Is this any new GCC or different tool?
> I see that 3byte padding but never seen these warnings.
This is a Smatch check.
regards,
dan carpenter
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH 2/4 v2] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
2019-08-22 8:16 ` Michal Simek
@ 2019-08-22 8:31 ` Dan Carpenter
2019-08-22 17:47 ` [PATCH 2/4] " Dragan Cvetic
2 siblings, 0 replies; 15+ messages in thread
From: Dan Carpenter @ 2019-08-22 8:31 UTC (permalink / raw)
To: Derek Kiernan, Dragan Cvetic
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, Michal Simek,
linux-kernel, linux-arm-kernel
The copy_from_user() function returns the number of bytes remaining to
be copied but we want to return -EFAULT to the user.
Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Michal Simek <michal.simek@xilinx.com>
---
v2: Fix a typo in the commit message. funciton --> function
drivers/misc/xilinx_sdfec.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
index dc1b8b412712..813b82c59360 100644
--- a/drivers/misc/xilinx_sdfec.c
+++ b/drivers/misc/xilinx_sdfec.c
@@ -651,9 +651,10 @@ static int xsdfec_add_ldpc(struct xsdfec_dev *xsdfec, void __user *arg)
if (!ldpc)
return -ENOMEM;
- ret = copy_from_user(ldpc, arg, sizeof(*ldpc));
- if (ret)
+ if (copy_from_user(ldpc, arg, sizeof(*ldpc))) {
+ ret = -EFAULT;
goto err_out;
+ }
if (xsdfec->config.code == XSDFEC_TURBO_CODE) {
ret = -EIO;
--
2.20.1
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks
2019-08-22 8:28 ` Dan Carpenter
@ 2019-08-22 8:49 ` Michal Simek
0 siblings, 0 replies; 15+ messages in thread
From: Michal Simek @ 2019-08-22 8:49 UTC (permalink / raw)
To: Dan Carpenter, Michal Simek
Cc: Arnd Bergmann, Greg Kroah-Hartman, Dragan Cvetic,
kernel-janitors, linux-kernel, Derek Kiernan, linux-arm-kernel
On 22. 08. 19 10:28, Dan Carpenter wrote:
> On Thu, Aug 22, 2019 at 10:14:12AM +0200, Michal Simek wrote:
>> Hi Dan,
>>
>> On 21. 08. 19 9:06, Dan Carpenter wrote:
>>> These structs have holes in them so we end up disclosing a few bytes of
>>> uninitialized stack data.
>>>
>>> drivers/misc/xilinx_sdfec.c:305 xsdfec_get_status() warn: check that 'status' doesn't leak information (struct has a hole after 'activity')
>>> drivers/misc/xilinx_sdfec.c:449 xsdfec_get_turbo() warn: check that 'turbo_params' doesn't leak information (struct has a hole after 'scale')
>>
>> Who is generating these warnings? Is this any new GCC or different tool?
>> I see that 3byte padding but never seen these warnings.
>
> This is a Smatch check.
ok. It looks like I need to update it to latest version. My version is
not showing these.
Anyway thanks for patches,
Michal
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks
2019-08-21 7:06 [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Dan Carpenter
` (3 preceding siblings ...)
2019-08-22 8:14 ` [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Michal Simek
@ 2019-08-22 17:47 ` Dragan Cvetic
4 siblings, 0 replies; 15+ messages in thread
From: Dragan Cvetic @ 2019-08-22 17:47 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, linux-kernel,
Michal Simek, linux-arm-kernel
Hi Dan,
> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Wednesday 21 August 2019 08:06
> To: Derek Kiernan <dkiernan@xilinx.com>; Dragan Cvetic <draganc@xilinx.com>
> Cc: Arnd Bergmann <arnd@arndb.de>; Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Michal Simek <michals@xilinx.com>;
> linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks
>
> These structs have holes in them so we end up disclosing a few bytes of
> uninitialized stack data.
>
> drivers/misc/xilinx_sdfec.c:305 xsdfec_get_status() warn: check that 'status' doesn't leak information (struct has a hole after 'activity')
> drivers/misc/xilinx_sdfec.c:449 xsdfec_get_turbo() warn: check that 'turbo_params' doesn't leak information (struct has a hole after
> 'scale')
>
> We need to zero out the holes with memset().
>
> Fixes: 6bd6a690c2e7 ("misc: xilinx_sdfec: Add stats & status ioctls")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/misc/xilinx_sdfec.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 912e939dec62..dc1b8b412712 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -295,6 +295,7 @@ static int xsdfec_get_status(struct xsdfec_dev *xsdfec, void __user *arg)
> struct xsdfec_status status;
> int err;
>
> + memset(&status, 0, sizeof(status));
> spin_lock_irqsave(&xsdfec->error_data_lock, xsdfec->flags);
> status.state = xsdfec->state;
> xsdfec->state_updated = false;
> @@ -440,6 +441,7 @@ static int xsdfec_get_turbo(struct xsdfec_dev *xsdfec, void __user *arg)
> if (xsdfec->config.code == XSDFEC_LDPC_CODE)
> return -EIO;
>
> + memset(&turbo_params, 0, sizeof(turbo_params));
> reg_value = xsdfec_regread(xsdfec, XSDFEC_TURBO_ADDR);
>
> turbo_params.scale = (reg_value & XSDFEC_TURBO_SCALE_MASK) >>
> --
> 2.20.1
Reviewed-by: Dragan Cvetic <dragan.cvetic@xilinx.com>
Thanks,
Dragan
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
2019-08-22 8:16 ` Michal Simek
2019-08-22 8:31 ` [PATCH 2/4 v2] " Dan Carpenter
@ 2019-08-22 17:47 ` Dragan Cvetic
2 siblings, 0 replies; 15+ messages in thread
From: Dragan Cvetic @ 2019-08-22 17:47 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, linux-kernel,
Michal Simek, linux-arm-kernel
Hi Dan,
> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Wednesday 21 August 2019 08:07
> To: Derek Kiernan <dkiernan@xilinx.com>; Dragan Cvetic <draganc@xilinx.com>
> Cc: Arnd Bergmann <arnd@arndb.de>; Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Michal Simek <michals@xilinx.com>;
> linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails
>
> The copy_from_user() funciton returns the number of bytes remaining to
> be copied but we want to return -EFAULT to the user.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/misc/xilinx_sdfec.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index dc1b8b412712..813b82c59360 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -651,9 +651,10 @@ static int xsdfec_add_ldpc(struct xsdfec_dev *xsdfec, void __user *arg)
> if (!ldpc)
> return -ENOMEM;
>
> - ret = copy_from_user(ldpc, arg, sizeof(*ldpc));
> - if (ret)
> + if (copy_from_user(ldpc, arg, sizeof(*ldpc))) {
> + ret = -EFAULT;
> goto err_out;
> + }
>
> if (xsdfec->config.code == XSDFEC_TURBO_CODE) {
> ret = -EIO;
> --
> 2.20.1
Reviewed-by: Dragan Cvetic <dragan.cvetic@xilinx.com>
Thanks,
Dragan
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write()
2019-08-21 7:11 ` [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() Dan Carpenter
2019-08-22 8:27 ` Michal Simek
@ 2019-08-22 17:55 ` Dragan Cvetic
1 sibling, 0 replies; 15+ messages in thread
From: Dragan Cvetic @ 2019-08-22 17:55 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, linux-kernel,
Michal Simek, linux-arm-kernel
Hi Dan,
> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Wednesday 21 August 2019 08:11
> To: Derek Kiernan <dkiernan@xilinx.com>; Dragan Cvetic <draganc@xilinx.com>
> Cc: Arnd Bergmann <arnd@arndb.de>; Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Michal Simek <michals@xilinx.com>;
> linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write()
>
> The checking here needs to handle integer overflows because "offset" and
> "len" come from the user.
Good catch, thanks.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/misc/xilinx_sdfec.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 3fc53d20abf3..0bf3bcc8e1ef 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -611,7 +611,9 @@ static int xsdfec_table_write(struct xsdfec_dev *xsdfec, u32 offset,
> * Writes that go beyond the length of
> * Shared Scale(SC) table should fail
> */
> - if ((XSDFEC_REG_WIDTH_JUMP * (offset + len)) > depth) {
> + if (offset > depth / XSDFEC_REG_WIDTH_JUMP ||
> + len > depth / XSDFEC_REG_WIDTH_JUMP ||
> + offset + len > depth / XSDFEC_REG_WIDTH_JUMP) {
> dev_dbg(xsdfec->dev, "Write exceeds SC table length");
> return -EINVAL;
> }
> --
> 2.20.1
Reviewed-by: Dragan Cvetic <dragan.cvetic@xilinx.com>
Thanks
Dragan
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
* RE: [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write()
2019-08-21 7:09 ` [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write() Dan Carpenter
2019-08-22 8:18 ` Michal Simek
@ 2019-08-23 8:23 ` Dragan Cvetic
1 sibling, 0 replies; 15+ messages in thread
From: Dragan Cvetic @ 2019-08-23 8:23 UTC (permalink / raw)
To: Dan Carpenter, Derek Kiernan
Cc: Arnd Bergmann, Greg Kroah-Hartman, kernel-janitors, linux-kernel,
Michal Simek, linux-arm-kernel
Hi Dan,
> -----Original Message-----
> From: Dan Carpenter [mailto:dan.carpenter@oracle.com]
> Sent: Wednesday 21 August 2019 08:10
> To: Derek Kiernan <dkiernan@xilinx.com>; Dragan Cvetic <draganc@xilinx.com>
> Cc: Arnd Bergmann <arnd@arndb.de>; Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Michal Simek <michals@xilinx.com>;
> linux-arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org; kernel-janitors@vger.kernel.org
> Subject: [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write()
>
> The "psize" value comes from the user so we need to verify that it's
> non-zero before we check if "n % psize" or it will crash.
>
> Fixes: 20ec628e8007 ("misc: xilinx_sdfec: Add ability to configure LDPC")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> The parentheses in this condition are a no-op. They're just confusing.
> Perhaps something else was intended?
>
> drivers/misc/xilinx_sdfec.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/misc/xilinx_sdfec.c b/drivers/misc/xilinx_sdfec.c
> index 813b82c59360..3fc53d20abf3 100644
> --- a/drivers/misc/xilinx_sdfec.c
> +++ b/drivers/misc/xilinx_sdfec.c
> @@ -460,7 +460,7 @@ static int xsdfec_reg0_write(struct xsdfec_dev *xsdfec, u32 n, u32 k, u32 psize,
> {
> u32 wdata;
>
> - if (n < XSDFEC_REG0_N_MIN || n > XSDFEC_REG0_N_MAX ||
> + if (n < XSDFEC_REG0_N_MIN || n > XSDFEC_REG0_N_MAX || psize == 0 ||
> (n > XSDFEC_REG0_N_MUL_P * psize) || n <= k || ((n % psize) != 0)) {
> dev_dbg(xsdfec->dev, "N value is not in range");
> return -EINVAL;
> --
> 2.20.1
Reviewed-by: Dragan Cvetic <dragan.cvetic@xilinx.com>
Thanks,
Dragan
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2019-08-23 8:24 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-21 7:06 [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Dan Carpenter
2019-08-21 7:07 ` [PATCH 2/4] misc: xilinx_sdfec: Return -EFAULT if copy_from_user() fails Dan Carpenter
2019-08-22 8:16 ` Michal Simek
2019-08-22 8:31 ` [PATCH 2/4 v2] " Dan Carpenter
2019-08-22 17:47 ` [PATCH 2/4] " Dragan Cvetic
2019-08-21 7:09 ` [PATCH 3/4] misc: xilinx_sdfec: Prevent a divide by zero in xsdfec_reg0_write() Dan Carpenter
2019-08-22 8:18 ` Michal Simek
2019-08-23 8:23 ` Dragan Cvetic
2019-08-21 7:11 ` [PATCH 4/4] misc: xilinx_sdfec: Prevent integer overflow in xsdfec_table_write() Dan Carpenter
2019-08-22 8:27 ` Michal Simek
2019-08-22 17:55 ` Dragan Cvetic
2019-08-22 8:14 ` [PATCH 1/4] misc: xilinx_sdfec: Fix a couple small information leaks Michal Simek
2019-08-22 8:28 ` Dan Carpenter
2019-08-22 8:49 ` Michal Simek
2019-08-22 17:47 ` Dragan Cvetic
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).