From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp-out-038.synserver.de ([212.40.185.38]:1032 "EHLO smtp-out-038.synserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752136AbbHGLiu (ORCPT ); Fri, 7 Aug 2015 07:38:50 -0400 Message-ID: <55C498C2.1070709@metafoo.de> Date: Fri, 07 Aug 2015 13:38:42 +0200 From: Lars-Peter Clausen MIME-Version: 1.0 To: Dan Carpenter , Daniel Baluta CC: =?windows-1252?Q?ayb=FCke_=F6zdemir?= , Hartmut Knaack , Peter Meerwald , "linux-iio@vger.kernel.org" Subject: Re: staging: iio: accel: Use __be16 instead of u16 References: <20150715193650.GA28245@mwanda> <20150807112733.GI5096@mwanda> In-Reply-To: <20150807112733.GI5096@mwanda> Content-Type: text/plain; charset=windows-1252 Sender: linux-iio-owner@vger.kernel.org List-Id: linux-iio@vger.kernel.org On 08/07/2015 01:27 PM, Dan Carpenter wrote: > On Fri, Aug 07, 2015 at 01:59:40PM +0300, Daniel Baluta wrote: >>> 119 for (i = 0; i < num_read; i++) >>> 120 *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i); >>> ^^^^^^^^^^^^^^^ >>> >>> We're writing beyond the end of the array here because of the pointer >>> math issue. The fix is probably to say: >>> >>> for (i = 0; i < num_read / sizeof(u16); i++) >>> *(((u16 *)rx) + i) = be16_to_cpup((__be16 *)rx + i); >>> >>> 121 >>> 122 if (copy_to_user(buf, rx, num_read)) >>> 123 ret = -EFAULT; >> >> Looks good to me. Please send a formal patch. > > It's weird that no one has noticed this bug in testing because we end > up corrupting memory every time this function is called. The buffers are probably smaller than the minimum allocation size so there is a bit of unused space after the buffer and overwriting it will not result in a corruption of used memory and nobody ever noticed. But in any way we should just drop the endianness conversion in kernelspace and advertise the data as big-endian to userspace. - Lars