From: Oleksij Rempel <o.rempel@pengutronix.de>
To: Jonathan Cameron <jic23@kernel.org>
Cc: devicetree@vger.kernel.org, Lars-Peter Clausen <lars@metafoo.de>,
linux-iio@vger.kernel.org,
Robin van der Gracht <robin@protonic.nl>,
linux-kernel@vger.kernel.org,
Pengutronix Kernel Team <kernel@pengutronix.de>,
David Jander <david@protonic.nl>
Subject: Re: [PATCH v1 1/1] iio: adc: tsc2046: fix memory corruption by preventing array overflow
Date: Mon, 10 Jan 2022 08:19:45 +0100 [thread overview]
Message-ID: <20220110071945.GB3326@pengutronix.de> (raw)
In-Reply-To: <20220109152557.74f06d2d@jic23-huawei>
Hi Jonathan,
On Sun, Jan 09, 2022 at 03:25:57PM +0000, Jonathan Cameron wrote:
> On Fri, 7 Jan 2022 09:14:01 +0100
> Oleksij Rempel <o.rempel@pengutronix.de> wrote:
>
> > On one side we have indio_dev->num_channels includes all physical channels +
> > timestamp channel. On other side we have an array allocated only for
> > physical channels. So, fix memory corruption by ARRAY_SIZE() instead of
> > num_channels variable.
> >
> > Fixes: 9374e8f5a38d ("iio: adc: add ADC driver for the TI TSC2046 controller")
> > Signed-off-by: Oleksij Rempel <o.rempel@pengutronix.de>
> Hi Olesij,
>
> Have you managed to make this occur, or is it inspection only?
Yes, this bug has eaten my rx_one and tx_one pointers on probe. I wonted
to use this buffers for read_raw and noticed that they do not exist.
> I 'think' (it's been a while since I looked at the particular code) that the timestamp
> bit in active_scan_mask will never actually be set because we handle that as a
> separate flag.
I didn't tested if active_scan_mask will trigger this issue as well, but
It it looked safer to me, to avoid this issue in both places. Even if on
of it is only theoretical.
> So it is indeed an efficiency improvement to not check that bit but I don't think
> it's a bug to do so. More than possible I'm missing something though!
>
> This one had me quite worried when I first read it because this is a very common
> pattern to see in IIO drivers.
I was thinking about this as well, because big part of this code was
inspired by other drivers. But i didn't reviewed other places so far.
Regards,
Oleksij
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
next prev parent reply other threads:[~2022-01-10 7:19 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-07 8:14 [PATCH v1 1/1] iio: adc: tsc2046: fix memory corruption by preventing array overflow Oleksij Rempel
2022-01-09 15:25 ` Jonathan Cameron
2022-01-10 7:19 ` Oleksij Rempel [this message]
2022-01-15 18:16 ` Jonathan Cameron
2022-01-16 11:58 ` Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220110071945.GB3326@pengutronix.de \
--to=o.rempel@pengutronix.de \
--cc=david@protonic.nl \
--cc=devicetree@vger.kernel.org \
--cc=jic23@kernel.org \
--cc=kernel@pengutronix.de \
--cc=lars@metafoo.de \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=robin@protonic.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.