Linux Input Archive on lore.kernel.org
 help / color / Atom feed
From: Roy Im <roy.im.opensource@diasemi.com>
To: Jes Sorensen <jes.sorensen@gmail.com>,
	Roy Im <roy.im.opensource@diasemi.com>,
	Uwe Kleine-Koenig <u.kleine-koenig@pengutronix.de>,
	Bartosz Golaszewski <bgolaszewski@baylibre.com>,
	Brian Masney <masneyb@onstation.org>,
	Dmitry Torokhov <dmitry.torokhov@gmail.com>,
	Greg KH <gregkh@linuxfoundation.org>,
	Lee Jones <lee.jones@linaro.org>, Luca Weiss <luca@z3ntu.xyz>,
	Maximilian Luz <luzmaximilian@gmail.com>,
	Pascal PAILLET-LME <p.paillet@st.com>,
	Rob Herring <robh@kernel.org>,
	Samuel Ortiz <sameo@linux.intel.com>,
	Thierry Reding <thierry.reding@gmail.com>,
	Thomas Gleixner <tglx@linutronix.de>
Cc: Support Opensource <Support.Opensource@diasemi.com>,
	"linux-input@vger.kernel.org" <linux-input@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
	"linux-pwm@vger.kernel.org" <linux-pwm@vger.kernel.org>
Subject: RE: [PATCH v15 3/3] Input: new da7280 haptic driver
Date: Fri, 3 Jul 2020 06:50:47 +0000
Message-ID: <DB8PR10MB3356C443A448F5B543C58BAC856A0@DB8PR10MB3356.EURPRD10.PROD.OUTLOOK.COM> (raw)
In-Reply-To: <31377d96-3e6d-e7b6-30de-0c7e9e6f9364@gmail.com>


On Fri, July 3, 2020 3:02 AM, Jes Sorensen wrote:
> On 6/29/20 9:01 AM, Roy Im wrote:
> > Adds support for the Dialog DA7280 LRA/ERM Haptic Driver with multiple
> > mode and integrated waveform memory and wideband support.
> > It communicates via an I2C bus to the device.
> >
> > Signed-off-by: Roy Im <roy.im.opensource@diasemi.com>
> > ---
> > v15:
> > 	- Removed some defines and updated some comments.
> > v14:
> > 	- Updated pwm related code, alignments and comments.
> > v13:
> > 	- Updated some conditions in pwm function and alignments.
> > v12: No changes.
> > v11:
> > 	- Updated the pwm related code, comments and typo.
> > v10:
> > 	- Updated the pwm related function and added some comments.
> > v9:
> > 	- Removed the header file and put the definitions into the c file.
> > 	- Updated the pwm code and error logs with %pE
> > v8:
> > 	- Added changes to support FF_PERIODIC/FF_CUSTOM and FF_CONSTANT.
> > 	- Updated the dt-related code.
> > 	- Removed memless related functions.
> > v7:
> > 	- Added more attributes to handle one value per file.
> > 	- Replaced and updated the dt-related code and functions called.
> > 	- Fixed error/functions.
> > v6: No changes.
> > v5: Fixed errors in Kconfig file.
> > v4: Updated code as dt-bindings are changed.
> > v3: No changes.
> > v2: Fixed kbuild error/warning
> >
> >
> >  drivers/input/misc/Kconfig  |   13 +
> >  drivers/input/misc/Makefile |    1 +
> >  drivers/input/misc/da7280.c | 1838
> > +++++++++++++++++++++++++++++++++++++++++++
> >  3 files changed, 1852 insertions(+)
> >  create mode 100644 drivers/input/misc/da7280.c
> 
> [snip]
> 
> > +static ssize_t
> > +patterns_store(struct device *dev,
> > +	       struct device_attribute *attr,
> > +	       const char *buf,
> > +	       size_t count)
> > +{
> > +	struct da7280_haptic *haptics = dev_get_drvdata(dev);
> > +	char cmd[MAX_USER_INPUT_LEN];
> > +	struct parse_data_t mem;
> > +	unsigned int val;
> > +	int error;
> > +
> > +	error = regmap_read(haptics->regmap, DA7280_MEM_CTL1, &val);
> > +	if (error)
> > +		return error;
> > +
> > +	if (count > MAX_USER_INPUT_LEN)
> > +		memcpy(cmd, buf, MAX_USER_INPUT_LEN);
> > +	else
> > +		memcpy(cmd, buf, count);
> > +
> > +	/* chop of '\n' introduced by echo at the end of the input */
> > +	if (cmd[count - 1] == '\n')
> > +		cmd[count - 1] = '\0';
> 
> You have a potential memory corruption bug here for the case where  count > MAX_USER_INPUT_LEN. The code
> correctly clamps the memcpy() length, but it still is at risk of writing beyond the end of the cmd buffer when doing the \0
> termination.
> 
> If you change the code above to say
> 
> 	if (count > MAX_USER_INPUT_LEN)
> 		count = MAX_USER_INPUT_LEN
> 	memcpy(cmd, buf, count);
> 
> it should take care of it, and it will also return the actual count written to the caller.

You are right and thanks for your comment, I will change the code as you suggested.

Kind regards,
Roy

      reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-29 13:01 [PATCH v15 0/3] da7280: haptic driver submission Roy Im
2020-06-29 13:01 ` [PATCH v15 2/3] dt-bindings: input: Add document bindings for DA7280 Roy Im
2020-06-29 13:01 ` [PATCH v15 3/3] Input: new da7280 haptic driver Roy Im
2020-06-30  3:13   ` Randy Dunlap
2020-06-30  3:39     ` Roy Im
2020-07-02 18:01   ` Jes Sorensen
2020-07-03  6:50     ` Roy Im [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DB8PR10MB3356C443A448F5B543C58BAC856A0@DB8PR10MB3356.EURPRD10.PROD.OUTLOOK.COM \
    --to=roy.im.opensource@diasemi.com \
    --cc=Support.Opensource@diasemi.com \
    --cc=bgolaszewski@baylibre.com \
    --cc=dmitry.torokhov@gmail.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=jes.sorensen@gmail.com \
    --cc=lee.jones@linaro.org \
    --cc=linux-input@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-pwm@vger.kernel.org \
    --cc=luca@z3ntu.xyz \
    --cc=luzmaximilian@gmail.com \
    --cc=masneyb@onstation.org \
    --cc=p.paillet@st.com \
    --cc=robh@kernel.org \
    --cc=sameo@linux.intel.com \
    --cc=tglx@linutronix.de \
    --cc=thierry.reding@gmail.com \
    --cc=u.kleine-koenig@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux Input Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-input/0 linux-input/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-input linux-input/ https://lore.kernel.org/linux-input \
		linux-input@vger.kernel.org
	public-inbox-index linux-input

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-input


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git