Re: Re: [PATCH 1/2] cmd64x: potential buffer overflow in cmd64x_program_timings()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: David Miller <davem@davemloft.net>,
	linux-ide@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: Re: [PATCH 1/2] cmd64x: potential buffer overflow in cmd64x_program_timings()
Date: Tue, 21 Jan 2020 11:55:14 +0000	[thread overview]
Message-ID: <20200121115514.GA1870@kadam> (raw)
In-Reply-To: <20200121114835.GB1847@kadam>

On Tue, Jan 21, 2020 at 02:48:35PM +0300, Dan Carpenter wrote:
> On Tue, Jan 21, 2020 at 12:15:54PM +0100, Bartlomiej Zolnierkiewicz wrote:
> > 
> > Hi,
> > 
> > On 1/20/20 2:40 PM, David Miller wrote:
> > > From: Dan Carpenter <dan.carpenter@oracle.com>
> > > Date: Tue, 7 Jan 2020 16:04:41 +0300
> > > 
> > >> The "drive->dn" value is a u8 and it is controlled by root only, but
> > >> it could be out of bounds here so let's check.
> > 
> > drive->dn should not be root controllable, please point me where it
> > happens as this may need fixing instead of cmd64x driver.
> > 
> > [ IDE core makes sure that drive->dn is never > 3 and a lot of code
> >   assumes it. ]
> > 
> 
> It's a marked as a setable field in ide-proc.c
> 
> drivers/ide/ide-proc.c
>    206  ide_devset_rw(current_speed, xfer_rate);
>    207  ide_devset_rw_field(init_speed, init_speed);
>    208  ide_devset_rw_flag(nice1, IDE_DFLAG_NICE1);
>    209  ide_devset_rw_field(number, dn);
>                             ^^^^^^^^^^
> Sets ->dn
> 
>    210  
>    211  static const struct ide_proc_devset ide_generic_settings[] = {
>    212          IDE_PROC_DEVSET(current_speed, 0, 70),
>    213          IDE_PROC_DEVSET(init_speed, 0, 70),
>    214          IDE_PROC_DEVSET(io_32bit,  0, 1 + (SUPPORT_VLB_SYNC << 1)),
>    215          IDE_PROC_DEVSET(keepsettings, 0, 1),
>    216          IDE_PROC_DEVSET(nice1, 0, 1),
>    217          IDE_PROC_DEVSET(number, 0, 3),
                                          ^^^^
Argh...  This clamps it to 0-3 doesn't it.

Sorry, I didn't see that.

regards,
dan carpenter

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Cc: David Miller <davem@davemloft.net>,
	linux-ide@vger.kernel.org, kernel-janitors@vger.kernel.org
Subject: Re: Re: [PATCH 1/2] cmd64x: potential buffer overflow in cmd64x_program_timings()
Date: Tue, 21 Jan 2020 14:55:14 +0300	[thread overview]
Message-ID: <20200121115514.GA1870@kadam> (raw)
In-Reply-To: <20200121114835.GB1847@kadam>

On Tue, Jan 21, 2020 at 02:48:35PM +0300, Dan Carpenter wrote:
> On Tue, Jan 21, 2020 at 12:15:54PM +0100, Bartlomiej Zolnierkiewicz wrote:
> > 
> > Hi,
> > 
> > On 1/20/20 2:40 PM, David Miller wrote:
> > > From: Dan Carpenter <dan.carpenter@oracle.com>
> > > Date: Tue, 7 Jan 2020 16:04:41 +0300
> > > 
> > >> The "drive->dn" value is a u8 and it is controlled by root only, but
> > >> it could be out of bounds here so let's check.
> > 
> > drive->dn should not be root controllable, please point me where it
> > happens as this may need fixing instead of cmd64x driver.
> > 
> > [ IDE core makes sure that drive->dn is never > 3 and a lot of code
> >   assumes it. ]
> > 
> 
> It's a marked as a setable field in ide-proc.c
> 
> drivers/ide/ide-proc.c
>    206  ide_devset_rw(current_speed, xfer_rate);
>    207  ide_devset_rw_field(init_speed, init_speed);
>    208  ide_devset_rw_flag(nice1, IDE_DFLAG_NICE1);
>    209  ide_devset_rw_field(number, dn);
>                             ^^^^^^^^^^
> Sets ->dn
> 
>    210  
>    211  static const struct ide_proc_devset ide_generic_settings[] = {
>    212          IDE_PROC_DEVSET(current_speed, 0, 70),
>    213          IDE_PROC_DEVSET(init_speed, 0, 70),
>    214          IDE_PROC_DEVSET(io_32bit,  0, 1 + (SUPPORT_VLB_SYNC << 1)),
>    215          IDE_PROC_DEVSET(keepsettings, 0, 1),
>    216          IDE_PROC_DEVSET(nice1, 0, 1),
>    217          IDE_PROC_DEVSET(number, 0, 3),
                                          ^^^^
Argh...  This clamps it to 0-3 doesn't it.

Sorry, I didn't see that.

regards,
dan carpenter

next prev parent reply	other threads:[~2020-01-21 11:55 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-07 13:04 [PATCH 1/2] cmd64x: potential buffer overflow in cmd64x_program_timings() Dan Carpenter
2020-01-07 13:04 ` Dan Carpenter
2020-01-07 13:06 ` [PATCH 2/2] ide: serverworks: potential overflow in svwks_set_pio_mode() Dan Carpenter
2020-01-07 13:06   ` Dan Carpenter
2020-01-20 13:40   ` David Miller
2020-01-20 13:40     ` David Miller
2020-01-21 11:18     ` Bartlomiej Zolnierkiewicz
2020-01-21 11:18       ` Bartlomiej Zolnierkiewicz
2020-01-20 13:40 ` [PATCH 1/2] cmd64x: potential buffer overflow in cmd64x_program_timings() David Miller
2020-01-20 13:40   ` David Miller
2020-01-21 11:15   ` Bartlomiej Zolnierkiewicz
2020-01-21 11:15     ` Bartlomiej Zolnierkiewicz
2020-01-21 11:48     ` Dan Carpenter
2020-01-21 11:48       ` Dan Carpenter
2020-01-21 11:55       ` Dan Carpenter [this message]
2020-01-21 11:55         ` Dan Carpenter
2020-01-21 12:07       ` Dan Carpenter
2020-01-21 12:07         ` Dan Carpenter
2020-01-21 12:21       ` Bartlomiej Zolnierkiewicz
2020-01-21 12:21         ` Bartlomiej Zolnierkiewicz
2020-01-21 12:38         ` Bartlomiej Zolnierkiewicz
2020-01-21 12:38           ` Bartlomiej Zolnierkiewicz
2020-01-21 13:06           ` [PATCH] ide: make drive->dn read only Dan Carpenter
2020-01-21 13:06             ` Dan Carpenter
2020-01-21 14:13             ` Bartlomiej Zolnierkiewicz
2020-01-21 14:13               ` Bartlomiej Zolnierkiewicz
2020-01-21 14:17               ` Dan Carpenter
2020-01-21 14:17                 ` Dan Carpenter
2020-01-30 10:03             ` David Miller
2020-01-30 10:03               ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200121115514.GA1870@kadam \
    --to=dan.carpenter@oracle.com \
    --cc=b.zolnierkie@samsung.com \
    --cc=davem@davemloft.net \
    --cc=kernel-janitors@vger.kernel.org \
    --cc=linux-ide@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.