[PATCH 1/2] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

[PATCH 1/2] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

[Peter Huewe]

strcmp does return the difference between two strings not only -1,0,1
consequently
 if (strcmp (a,b) == -1)
might lead to taking the wrong branch

-> compare with <= instead.

This also makes the code/behavior compliant with its comments.
(e.g. if PPI Version is 1.0)

Fixes Coverity complaints:
CID: 741083 Misuse of memcmp-style function
CID: 741084 Misuse of memcmp-style function
CID: 741085 Misuse of memcmp-style function

Cc: stable@vger.kernel.org
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
---
 drivers/char/tpm/tpm_ppi.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/char/tpm/tpm_ppi.c b/drivers/char/tpm/tpm_ppi.c
index 8e562dc..8b2e05a 100644
--- a/drivers/char/tpm/tpm_ppi.c
+++ b/drivers/char/tpm/tpm_ppi.c
@@ -169,7 +169,7 @@ static ssize_t tpm_store_ppi_request(struct device *dev,
 	 * is updated with function index from SUBREQ to SUBREQ2 since PPI
 	 * version 1.1
 	 */
-	if (strcmp(version, "1.1") == -1)
+	if (strcmp(version, "1.1") <= -1)
 		params[2].integer.value = TPM_PPI_FN_SUBREQ;
 	else
 		params[2].integer.value = TPM_PPI_FN_SUBREQ2;
@@ -179,7 +179,7 @@ static ssize_t tpm_store_ppi_request(struct device *dev,
 	 * string/package type. For PPI version 1.0 and 1.1, use buffer type
 	 * for compatibility, and use package type since 1.2 according to spec.
 	 */
-	if (strcmp(version, "1.2") == -1) {
+	if (strcmp(version, "1.2") <= -1) {
 		params[3].type = ACPI_TYPE_BUFFER;
 		params[3].buffer.length = sizeof(req);
 		sscanf(buf, "%d", &req);
@@ -245,7 +245,7 @@ static ssize_t tpm_show_ppi_transition_action(struct device *dev,
 	 * (e.g. Capella with PPI 1.0) need integer/string/buffer type, so for
 	 * compatibility, define params[3].type as buffer, if PPI version < 1.2
 	 */
-	if (strcmp(version, "1.2") == -1) {
+	if (strcmp(version, "1.2") <= -1) {
 		params[3].type = ACPI_TYPE_BUFFER;
 		params[3].buffer.length =  0;
 		params[3].buffer.pointer = NULL;
@@ -387,7 +387,7 @@ static ssize_t show_ppi_operations(char *buf, u32 start, u32 end)
 	kfree(output.pointer);
 	output.length = ACPI_ALLOCATE_BUFFER;
 	output.pointer = NULL;
-	if (strcmp(version, "1.2") == -1)
+	if (strcmp(version, "1.2") <= -1)
 		return -EPERM;
 
 	params[2].integer.value = TPM_PPI_FN_GETOPR;
-- 
1.7.8.6

[PATCH 2/2] tpm/tpm_ppi: Check return value of acpi_get_name

[Peter Huewe]

If
 status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &buffer);
fails for whatever reason and does not return AE_OK
 if (strstr(buffer.pointer, context) != NULL) {
does dereference a null pointer.

-> Check the return value and return the status to the caller

Found by coverity
CID: 728462 Explicit null dereferenced
Cc: stable@vger.kernel.org
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
---
 drivers/char/tpm/tpm_ppi.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/drivers/char/tpm/tpm_ppi.c b/drivers/char/tpm/tpm_ppi.c
index 8b2e05a..2242917 100644
--- a/drivers/char/tpm/tpm_ppi.c
+++ b/drivers/char/tpm/tpm_ppi.c
@@ -30,6 +30,9 @@ static acpi_status ppi_callback(acpi_handle handle, u32 level, void *context,
 	acpi_status status;
 	struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL };
 	status = acpi_get_name(handle, ACPI_FULL_PATHNAME, &buffer);
+	if (ACPI_FAILURE(status))
+		return status;
+
 	if (strstr(buffer.pointer, context) != NULL) {
 		*return_value = handle;
 		kfree(buffer.pointer);
-- 
1.7.8.6

Re: [PATCH 1/2] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

[Joe Perches]

On Wed, 2013-10-30 at 01:40 +0100, Peter Huewe wrote:
> strcmp does return the difference between two strings not only -1,0,1
> consequently
>  if (strcmp (a,b) == -1)
> might lead to taking the wrong branch
> 
> -> compare with <= instead.

lib/string.c:strcmp returns only -1,0,1
so that's what the arch versions should do too.
However, arch implementations do vary...

fyi: using
	if (strcmp(foo, bar) < 0)
is canonical.

There are no existing <= -1 uses.

Re: [tpmdd-devel] [PATCH 1/2] tpm/tpm_ppi: Do not compare strcmp(a, b) == -1

[Jason Gunthorpe]

On Wed, Oct 30, 2013 at 01:40:27AM +0100, Peter Huewe wrote:
> strcmp does return the difference between two strings not only -1,0,1
> consequently
>  if (strcmp (a,b) == -1)
> might lead to taking the wrong branch
> 
> -> compare with <= instead.

I've always thought this was the preferred idiom:

cmp(a,b) == 0
cmp(a,b) < 0
cmp(a,b) > 0

As the operator matches what is actually happening in all cases.

'>= -1' doesn't mean a >= b.

Regards,
Jason

Re: [PATCH 1/2] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

[Peter Hüwe]

Hi Joe, Jason
> fyi: using
> 	if (strcmp(foo, bar) < 0)
> is canonical.

Yeah of course you're both right - 
    if (strcmp(foo, bar) < 0) 
is the correct version.
Sorry about the rubbish patch.


> lib/string.c:strcmp returns only -1,0,1
> so that's what the arch versions should do too.
> However, arch implementations do vary...

Joe, You are right on this one as well.

I did not pay attention to where cscope did send me 
- it was arch/x86/boot/string.c which implements it as 

        while (*s1 || *s2) {
                delta = *s2 - *s1;
                if (delta)
                        return delta;
                s1++;
                s2++;
        }

Although I know that this is not used here, 
it differs from the version in lib. (Maybe worth changing?)


In anycase 
    if (strcmp(foo, bar) < 0)
is better than
    if (strcmp(foo, bar) == -1)
so I'll resend the patch.

Thanks for reviewing!

Peter

Re: [PATCH 1/2] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

[Joe Perches]

On Wed, 2013-10-30 at 20:35 +0100, Peter Hüwe wrote:
> Hi Joe, Jason

Hi Peter.

> > lib/string.c:strcmp returns only -1,0,1
> > so that's what the arch versions should do too.
> > However, arch implementations do vary...
[]
> I did not pay attention to where cscope did send me 
> - it was arch/x86/boot/string.c which implements it as 
> 
>         while (*s1 || *s2) {
>                 delta = *s2 - *s1;
>                 if (delta)
>                         return delta;
>                 s1++;
>                 s2++;
>         }
> 
> Although I know that this is not used here, 
> it differs from the version in lib. (Maybe worth changing?)

The arch/... assembly versions don't always
return -1, 0, 1 so I don't think it's worth
it to change all of those.

[PATCH 1/2 v2] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

[Peter Huewe]

Depending on the implementation strcmp might return the difference between
two strings not only -1,0,1 consequently
 if (strcmp (a,b) == -1)
might lead to taking the wrong branch

-> compare with < 0  instead,
which in any case is more canonical.

Cc: stable@vger.kernel.org
Signed-off-by: Peter Huewe <peterhuewe@gmx.de>
---
sorry for the rubbish first patch, 
should get more sleep, but coding is too much fun;)

 drivers/char/tpm/tpm_ppi.c |    8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/char/tpm/tpm_ppi.c b/drivers/char/tpm/tpm_ppi.c
index 8e562dc..18c5810 100644
--- a/drivers/char/tpm/tpm_ppi.c
+++ b/drivers/char/tpm/tpm_ppi.c
@@ -169,7 +169,7 @@ static ssize_t tpm_store_ppi_request(struct device *dev,
 	 * is updated with function index from SUBREQ to SUBREQ2 since PPI
 	 * version 1.1
 	 */
-	if (strcmp(version, "1.1") == -1)
+	if (strcmp(version, "1.1") < 0)
 		params[2].integer.value = TPM_PPI_FN_SUBREQ;
 	else
 		params[2].integer.value = TPM_PPI_FN_SUBREQ2;
@@ -179,7 +179,7 @@ static ssize_t tpm_store_ppi_request(struct device *dev,
 	 * string/package type. For PPI version 1.0 and 1.1, use buffer type
 	 * for compatibility, and use package type since 1.2 according to spec.
 	 */
-	if (strcmp(version, "1.2") == -1) {
+	if (strcmp(version, "1.2") < 0) {
 		params[3].type = ACPI_TYPE_BUFFER;
 		params[3].buffer.length = sizeof(req);
 		sscanf(buf, "%d", &req);
@@ -245,7 +245,7 @@ static ssize_t tpm_show_ppi_transition_action(struct device *dev,
 	 * (e.g. Capella with PPI 1.0) need integer/string/buffer type, so for
 	 * compatibility, define params[3].type as buffer, if PPI version < 1.2
 	 */
-	if (strcmp(version, "1.2") == -1) {
+	if (strcmp(version, "1.2") < 0) {
 		params[3].type = ACPI_TYPE_BUFFER;
 		params[3].buffer.length =  0;
 		params[3].buffer.pointer = NULL;
@@ -387,7 +387,7 @@ static ssize_t show_ppi_operations(char *buf, u32 start, u32 end)
 	kfree(output.pointer);
 	output.length = ACPI_ALLOCATE_BUFFER;
 	output.pointer = NULL;
-	if (strcmp(version, "1.2") == -1)
+	if (strcmp(version, "1.2") < 0)
 		return -EPERM;
 
 	params[2].integer.value = TPM_PPI_FN_GETOPR;
-- 
1.7.8.6

Re: [PATCH 1/2] tpm/tpm_ppi: Do not compare strcmp(a,b) == -1

[Bernd Petrovitsch]

Hi all!

On Mit, 2013-10-30 at 12:41 -0700, Joe Perches wrote:
[...]
> The arch/... assembly versions don't always
> return -1, 0, 1 so I don't think it's worth
> it to change all of those.

FWIW user-space strcmp() - e.g. as in
http://pubs.opengroup.org/onlinepubs/009695399/functions/strcmp.html but
also (glibcs) manual page- doesn't guarantee -1 or +1 either,

MfG,
	Bernd
-- 
Bernd Petrovitsch                  Email : bernd@petrovitsch.priv.at
                     LUGA : http://www.luga.at