From: Greg KH <gregkh@linuxfoundation.org>
To: Tomas Winkler <tomas.winkler@intel.com>
Cc: arnd@arndb.de, linux-kernel@vger.kernel.org
Subject: Re: [char-misc-next 2/8] mei: hbm: validate client index is not exceeding allocated array size
Date: Tue, 29 Oct 2013 16:19:45 -0700 [thread overview]
Message-ID: <20131029231945.GB30410@kroah.com> (raw)
In-Reply-To: <1382382343-12066-3-git-send-email-tomas.winkler@intel.com>
On Mon, Oct 21, 2013 at 10:05:37PM +0300, Tomas Winkler wrote:
> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
> ---
> drivers/misc/mei/hbm.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c
> index 9b3a0fb..0f5e8ca 100644
> --- a/drivers/misc/mei/hbm.c
> +++ b/drivers/misc/mei/hbm.c
> @@ -228,8 +228,6 @@ static int mei_hbm_prop_req(struct mei_device *dev)
> unsigned long client_num;
>
>
> - client_num = dev->me_client_presentation_num;
> -
> next_client_index = find_next_bit(dev->me_clients_map, MEI_CLIENTS_MAX,
> dev->me_client_index);
>
> @@ -241,6 +239,10 @@ static int mei_hbm_prop_req(struct mei_device *dev)
> return 0;
> }
>
> + client_num = dev->me_client_presentation_num;
> + if (WARN_ON(dev->me_clients_num <= client_num))
> + return -EIO;
How can this happen? Why is spitting out a huge warning in the syslog
going to help anything? If a user can do this, then great, now you can
DoS your syslog :(
If a user can't do this, then why tell them, it's your driver's bug that
you should just fix.
greg k-h
next prev parent reply other threads:[~2013-10-29 23:19 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-10-21 19:05 [char-misc-next 0/8] mei security fixes and cleanups Tomas Winkler
2013-10-21 19:05 ` [char-misc-next 1/8] mei: debugfs: validate dev is not null Tomas Winkler
2013-10-29 23:18 ` Greg KH
2013-10-30 7:16 ` Winkler, Tomas
2013-10-30 13:26 ` Greg KH
2013-10-30 21:14 ` Winkler, Tomas
2013-10-21 19:05 ` [char-misc-next 2/8] mei: hbm: validate client index is not exceeding allocated array size Tomas Winkler
2013-10-29 23:19 ` Greg KH [this message]
2013-10-30 7:31 ` Winkler, Tomas
2013-10-30 13:27 ` Greg KH
2013-11-07 12:21 ` Winkler, Tomas
2013-10-21 19:05 ` [char-misc-next 3/8] mei: nfc: fix memory leak in error path Tomas Winkler
2013-10-21 19:05 ` [char-misc-next 4/8] mei: wd: host_init propagate error codes from called functions Tomas Winkler
2013-10-21 19:05 ` [char-misc-next 5/8] mei: bus: propagate error code returned by mei_me_cl_by_id Tomas Winkler
2013-10-21 19:05 ` [char-misc-next 6/8] mei: mei_cl_link remove duplicated check for open_handle_count Tomas Winkler
2013-10-21 19:05 ` [char-misc-next 7/8] mei: replace stray pr_debug with dev_dbg Tomas Winkler
2013-10-21 19:05 ` [char-misc-next 8/8] mei: print correct device state during unexpected reset Tomas Winkler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131029231945.GB30410@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arnd@arndb.de \
--cc=linux-kernel@vger.kernel.org \
--cc=tomas.winkler@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.