From: Dan Carpenter <dan.carpenter-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
To: abbotti-GUHe90Wt2aFaa/9Udqfwiw@public.gmane.org
Cc: linux-spi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: re: spi: spidev: only use up TX/RX bounce buffer space when needed
Date: Mon, 23 Mar 2015 16:01:37 +0300 [thread overview]
Message-ID: <20150323130136.GA6761@mwanda> (raw)
Hi Ian,
The patch 9a12bff7c346: "spi: spidev: only use up TX/RX bounce buffer
space when needed" from Feb 16, 2015, has a potential integer overflow
issue.
drivers/spi/spidev.c
241 total = 0;
242 tx_total = 0;
243 rx_total = 0;
244 for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
245 n;
246 n--, k_tmp++, u_tmp++) {
247 k_tmp->len = u_tmp->len;
248
249 total += k_tmp->len;
^^^^^^^^^^^^^^^^^^^
This is a potential integer overflow but the impact is not serious.
250 /* Since the function returns the total length of transfers
251 * on success, restrict the total to positive int values to
252 * avoid the return value looking like an error.
253 */
254 if (total > INT_MAX) {
255 status = -EMSGSIZE;
256 goto done;
257 }
258
259 if (u_tmp->rx_buf) {
260 /* this transfer needs space in RX bounce buffer */
261 rx_total += k_tmp->len;
^^^^^^^^^^^^^^^^^^^^^^
This one can maybe result in an info leak? I'm not sure.
262 if (rx_total > bufsiz) {
263 status = -EMSGSIZE;
264 goto done;
265 }
266 k_tmp->rx_buf = rx_buf;
267 if (!access_ok(VERIFY_WRITE, (u8 __user *)
268 (uintptr_t) u_tmp->rx_buf,
269 u_tmp->len))
270 goto done;
271 rx_buf += k_tmp->len;
272 }
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-spi" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next reply other threads:[~2015-03-23 13:01 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-23 13:01 Dan Carpenter [this message]
2015-03-23 15:53 ` spi: spidev: only use up TX/RX bounce buffer space when needed Ian Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150323130136.GA6761@mwanda \
--to=dan.carpenter-qhclzuegtsvqt0dzr+alfa@public.gmane.org \
--cc=abbotti-GUHe90Wt2aFaa/9Udqfwiw@public.gmane.org \
--cc=linux-spi-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).