From: Jeffrey Hugo <quic_jhugo@quicinc.com>
To: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Carl Vanderlip <quic_carlv@quicinc.com>,
Pranjal Ramajor Asha Kanojiya <quic_pkanojiy@quicinc.com>,
Oded Gabbay <ogabbay@kernel.org>, <linux-arm-msm@vger.kernel.org>,
<dri-devel@lists.freedesktop.org>,
<kernel-janitors@vger.kernel.org>
Subject: Re: [PATCH 0/5] accel/qaic: Improve bounds checking in encode/decode
Date: Wed, 21 Jun 2023 20:53:41 -0600 [thread overview]
Message-ID: <26a1858f-d428-a2ac-9ddd-115ba2d8becc@quicinc.com> (raw)
In-Reply-To: <af83549b-ccb4-4a8d-b036-9359eba9d39f@moroto.mountain>
On 6/21/2023 1:21 AM, Dan Carpenter wrote:
> (I think this is the first cover letter I have ever written).
>
> These patches are based on review and not from testing.
Thank you for your review. I look forward to reading your patches and
learning from them.
Did you use any kind of tooling? If there is something we can add to
our flow to bring up the quality, I would like to consider it.
Tooling or no, the control path is not a trivial part of the driver to
dip your toes in, and it seems like you really dug deep. I find that
impressive.
> I found it quite complicated to track the buffer sizes. What happens
> is the qaic_manage() gets a buffer user_msg->data[] which has
> user_msg->len bytes. The qaic_manage() calls qaic_manage_msg_xfer()
> which encodes the user's message.
>
> Then we get a response and we decode the response back into
> user_msg->data[], but we don't check that it is overflowed. We instead
> copy seem to check against msg_hdr_len (which would prevent a read
> overflow). At the end user_msg->len gets set to the number of bytes
> that we copied to the buffer.
>
> I'm coming to this code brand new, it's the first time I have seen it.
> So I don't really understand. There is an element of trust in
> msg_hdr_len but then at other times we check it for integer overflows
> which indicates deep distrust.
Overall, we are taking a message from userspace and transforming it into
something the firmware on the device can consume. Then we get a
response back from the firmware, and transform that back into something
userspace can consume. From the driver perspective, neither the
firmware nor userspace is really trusted. msg_hdr_len is something that
the driver calculates and maintains, but is updated with untrusted values.
I can see where that could be confusing. I look forward to looking at
what you've found, and hopefully making the code better.
> What I'm saying is that there may be more issues in this code. But also
> that I don't really understand it so please review carefully.
>
> The patch that I'm least sure of is 4/5:
>
> [PATCH 4/5] accel/qaic: move and expand integer overflow checks for
> map_user_pages()
>
> regards,
> dan carpenter
next prev parent reply other threads:[~2023-06-22 2:53 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-21 7:21 [PATCH 0/5] accel/qaic: Improve bounds checking in encode/decode Dan Carpenter
2023-06-21 7:21 ` [PATCH 1/5] accel/qaic: tighten bounds checking in encode_message() Dan Carpenter
2023-06-22 11:24 ` Pranjal Ramajor Asha Kanojiya
2023-06-22 11:43 ` Dan Carpenter
2023-06-22 11:54 ` Dan Carpenter
2023-07-04 6:27 ` Pranjal Ramajor Asha Kanojiya
2023-07-04 6:34 ` Pranjal Ramajor Asha Kanojiya
2023-07-04 8:48 ` Dan Carpenter
2023-07-04 8:38 ` Dan Carpenter
2023-07-04 9:48 ` Pranjal Ramajor Asha Kanojiya
2023-07-04 9:58 ` Dan Carpenter
2023-07-07 18:29 ` Jeffrey Hugo
2023-06-21 7:21 ` [PATCH 2/5] accel/qaic: tighten bounds checking in decode_message() Dan Carpenter
2023-07-04 6:30 ` Pranjal Ramajor Asha Kanojiya
2023-07-07 18:43 ` Jeffrey Hugo
2023-06-21 7:22 ` [PATCH 3/5] accel/qaic: Add consistent integer overflow checks Dan Carpenter
2023-07-07 18:51 ` Jeffrey Hugo
2023-07-08 5:06 ` Pranjal Ramajor Asha Kanojiya
2023-06-21 7:22 ` [PATCH 4/5] accel/qaic: move and expand integer overflow checks for map_user_pages() Dan Carpenter
2023-07-07 19:16 ` Jeffrey Hugo
2023-06-21 7:22 ` [PATCH 5/5] accel/qaic: Fix a leak in map_user_pages() Dan Carpenter
2023-07-07 19:24 ` Jeffrey Hugo
2023-07-08 4:44 ` Pranjal Ramajor Asha Kanojiya
2023-06-22 2:53 ` Jeffrey Hugo [this message]
2023-06-22 10:22 ` [PATCH 0/5] accel/qaic: Improve bounds checking in encode/decode Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=26a1858f-d428-a2ac-9ddd-115ba2d8becc@quicinc.com \
--to=quic_jhugo@quicinc.com \
--cc=dan.carpenter@linaro.org \
--cc=dri-devel@lists.freedesktop.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-arm-msm@vger.kernel.org \
--cc=ogabbay@kernel.org \
--cc=quic_carlv@quicinc.com \
--cc=quic_pkanojiy@quicinc.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox