All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH linux dev-4.7] drivers: fsi: Fix FSI core size checking user interfaces
@ 2017-02-21 21:17 Eddie James
  2017-02-22  0:44 ` Jeremy Kerr
  0 siblings, 1 reply; 3+ messages in thread
From: Eddie James @ 2017-02-21 21:17 UTC (permalink / raw)
  To: openbmc; +Cc: joel, cbostic, Edward A. James

From: "Edward A. James" <eajames@us.ibm.com>

Some potential for integer overflow and not checking signed offsets.

Signed-off-by: Edward A. James <eajames@us.ibm.com>
---
 drivers/fsi/fsi-core.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
index d63a892..e13774f 100644
--- a/drivers/fsi/fsi-core.c
+++ b/drivers/fsi/fsi-core.c
@@ -90,10 +90,7 @@ static int fsi_slave_write(struct fsi_slave *slave, uint32_t addr,
 int fsi_device_read(struct fsi_device *dev, uint32_t addr, void *val,
 		size_t size)
 {
-	if (addr > dev->size)
-		return -EINVAL;
-
-	if (addr + size > dev->size)
+	if (addr > dev->size || size > dev->size || addr > dev->size - size)
 		return -EINVAL;
 
 	return fsi_slave_read(dev->slave, dev->addr + addr, val, size);
@@ -103,10 +100,7 @@ EXPORT_SYMBOL_GPL(fsi_device_read);
 int fsi_device_write(struct fsi_device *dev, uint32_t addr, const void *val,
 		size_t size)
 {
-	if (addr > dev->size)
-		return -EINVAL;
-
-	if (addr + size > dev->size)
+	if (addr > dev->size || size > dev->size || addr > dev->size - size)
 		return -EINVAL;
 
 	return fsi_slave_write(dev->slave, dev->addr + addr, val, size);
@@ -328,7 +322,7 @@ static ssize_t fsi_slave_sysfs_raw_read(struct file *file,
 	if (count != 4 || off & 0x3)
 		return -EINVAL;
 
-	if (off > 0xffffffff)
+	if (off > 0xfffffffc || off < 0)
 		return -EINVAL;
 
 	rc = fsi_slave_read(slave, off, buf, 4);
@@ -346,7 +340,7 @@ static ssize_t fsi_slave_sysfs_raw_write(struct file *file,
 	if (count != 4 || off & 0x3)
 		return -EINVAL;
 
-	if (off > 0xffffffff)
+	if (off > 0xfffffffc || off < 0)
 		return -EINVAL;
 
 	rc = fsi_slave_write(slave, off, buf, 4);
-- 
1.8.3.1

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH linux dev-4.7] drivers: fsi: Fix FSI core size checking user interfaces
  2017-02-21 21:17 [PATCH linux dev-4.7] drivers: fsi: Fix FSI core size checking user interfaces Eddie James
@ 2017-02-22  0:44 ` Jeremy Kerr
  2017-02-22 14:01   ` Joel Stanley
  0 siblings, 1 reply; 3+ messages in thread
From: Jeremy Kerr @ 2017-02-22  0:44 UTC (permalink / raw)
  To: Eddie James, openbmc; +Cc: Edward A. James, cbostic

Hi Eddie,

> Some potential for integer overflow and not checking signed offsets.

[...]

>  int fsi_device_read(struct fsi_device *dev, uint32_t addr, void *val,
>  		size_t size)
>  {
> -	if (addr > dev->size)
> -		return -EINVAL;
> -
> -	if (addr + size > dev->size)
> +	if (addr > dev->size || size > dev->size || addr > dev->size - size)
>  		return -EINVAL;

I liked the split conditional statements, but that's only personal
preference. Regardless, LGTM.

Acked-by: Jeremy Kerr <jk@ozlabs.org>

Cheers,


Jeremy

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH linux dev-4.7] drivers: fsi: Fix FSI core size checking user interfaces
  2017-02-22  0:44 ` Jeremy Kerr
@ 2017-02-22 14:01   ` Joel Stanley
  0 siblings, 0 replies; 3+ messages in thread
From: Joel Stanley @ 2017-02-22 14:01 UTC (permalink / raw)
  To: Jeremy Kerr
  Cc: Eddie James, OpenBMC Maillist, Edward A. James, Christopher Bostic

On Wed, Feb 22, 2017 at 11:14 AM, Jeremy Kerr <jk@ozlabs.org> wrote:
> Hi Eddie,
>
>> Some potential for integer overflow and not checking signed offsets.
>
> [...]
>
>>  int fsi_device_read(struct fsi_device *dev, uint32_t addr, void *val,
>>               size_t size)
>>  {
>> -     if (addr > dev->size)
>> -             return -EINVAL;
>> -
>> -     if (addr + size > dev->size)
>> +     if (addr > dev->size || size > dev->size || addr > dev->size - size)
>>               return -EINVAL;
>
> I liked the split conditional statements, but that's only personal
> preference. Regardless, LGTM.

My personal preference is also to split them out. It makes them easier
to read, and there's less noise in the diff if the conditions need to
be updated.

I applied this as-is to dev-4.7 for now.

> Acked-by: Jeremy Kerr <jk@ozlabs.org>

Thanks for the review Jeremy.

Cheers,

Joel

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-02-22 14:02 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-21 21:17 [PATCH linux dev-4.7] drivers: fsi: Fix FSI core size checking user interfaces Eddie James
2017-02-22  0:44 ` Jeremy Kerr
2017-02-22 14:01   ` Joel Stanley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.