[PATCH 1/2] iio: fix possible buffer overflow

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 1/2] iio: fix possible buffer overflow
@ 2014-05-02 22:40 Alexandre Belloni
  2014-05-02 22:40 ` [PATCH 2/2] " Alexandre Belloni
  2014-05-03 10:11 ` [PATCH 1/2] " Jonathan Cameron
  0 siblings, 2 replies; 4+ messages in thread
From: Alexandre Belloni @ 2014-05-02 22:40 UTC (permalink / raw)
  To: Jonathan Cameron; +Cc: linux-iio, linux-kernel, Alexandre Belloni

Found using smatch:
drivers/iio/industrialio-core.c:719 iio_device_add_info_mask_type() error:
buffer overflow 'iio_chan_info_postfix' 17 <= 63

It was probably never hit because the info_mask_* members are filled by using
the BIT() macro with values from the iio_chan_info_enum enum that also serve as
the index of the iio_chan_info_postfix array.

Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
---
 drivers/iio/industrialio-core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index ede16aec20fb..5e7a67e53879 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -715,7 +715,8 @@ static int iio_device_add_info_mask_type(struct iio_dev *indio_dev,
 {
 	int i, ret, attrcount = 0;
 
-	for_each_set_bit(i, infomask, sizeof(infomask)*8) {
+	for_each_set_bit(i, infomask, min(sizeof(infomask)*8,
+					  ARRAY_SIZE(iio_chan_info_postfix))) {
 		ret = __iio_add_chan_devattr(iio_chan_info_postfix[i],
 					     chan,
 					     &iio_read_channel_info,
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH 2/2] iio: fix possible buffer overflow
  2014-05-02 22:40 [PATCH 1/2] iio: fix possible buffer overflow Alexandre Belloni
@ 2014-05-02 22:40 ` Alexandre Belloni
  2014-05-03 10:11 ` [PATCH 1/2] " Jonathan Cameron
  1 sibling, 0 replies; 4+ messages in thread
From: Alexandre Belloni @ 2014-05-02 22:40 UTC (permalink / raw)
  To: Jonathan Cameron; +Cc: linux-iio, linux-kernel, Alexandre Belloni

Found using smatch:
drivers/iio/industrialio-event.c:327 iio_device_add_event() error: buffer
overflow 'iio_ev_info_text' 3 <= 7

It was probably never hit because the mask_* members of the event_spec struct
are filled by using the BIT() macro with values from the iio_event_info enum
that also serve as the index of the iio_ev_info_text array.

Also, for_each_set_bit takes a number of bits as the size, not a number of
bytes.

Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
---
 drivers/iio/industrialio-event.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/iio/industrialio-event.c b/drivers/iio/industrialio-event.c
index ea6e06b9c7d4..804e90676159 100644
--- a/drivers/iio/industrialio-event.c
+++ b/drivers/iio/industrialio-event.c
@@ -321,7 +321,8 @@ static int iio_device_add_event(struct iio_dev *indio_dev,
 	char *postfix;
 	int ret;
 
-	for_each_set_bit(i, mask, sizeof(*mask)) {
+	for_each_set_bit(i, mask,
+			 min(sizeof(*mask)*8, ARRAY_SIZE(iio_ev_info_text))) {
 		postfix = kasprintf(GFP_KERNEL, "%s_%s_%s",
 				iio_ev_type_text[type], iio_ev_dir_text[dir],
 				iio_ev_info_text[i]);
-- 
1.9.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] iio: fix possible buffer overflow
  2014-05-02 22:40 [PATCH 1/2] iio: fix possible buffer overflow Alexandre Belloni
  2014-05-02 22:40 ` [PATCH 2/2] " Alexandre Belloni
@ 2014-05-03 10:11 ` Jonathan Cameron
  2014-05-03 16:01   ` Alexandre Belloni
  1 sibling, 1 reply; 4+ messages in thread
From: Jonathan Cameron @ 2014-05-03 10:11 UTC (permalink / raw)
  To: Alexandre Belloni; +Cc: linux-iio, linux-kernel

On 02/05/14 23:40, Alexandre Belloni wrote:
> Found using smatch:
> drivers/iio/industrialio-core.c:719 iio_device_add_info_mask_type() error:
> buffer overflow 'iio_chan_info_postfix' 17 <= 63
>
> It was probably never hit because the info_mask_* members are filled by using
> the BIT() macro with values from the iio_chan_info_enum enum that also serve as
> the index of the iio_chan_info_postfix array.
>
> Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
See
ef4b4856593fc3d9d169bededdaf7acf62f83a52
iio:core: Fix bug in length of event info_mask and catch unhandled bits set in masks.

Which fixes the same issue in a slightly different way.

Pretty recent patch though and this was there for ages before that.
Better to have two fixes than none.

Thanks,

J
> ---
>   drivers/iio/industrialio-core.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
> index ede16aec20fb..5e7a67e53879 100644
> --- a/drivers/iio/industrialio-core.c
> +++ b/drivers/iio/industrialio-core.c
> @@ -715,7 +715,8 @@ static int iio_device_add_info_mask_type(struct iio_dev *indio_dev,
>   {
>   	int i, ret, attrcount = 0;
>
> -	for_each_set_bit(i, infomask, sizeof(infomask)*8) {
> +	for_each_set_bit(i, infomask, min(sizeof(infomask)*8,
> +					  ARRAY_SIZE(iio_chan_info_postfix))) {
>   		ret = __iio_add_chan_devattr(iio_chan_info_postfix[i],
>   					     chan,
>   					     &iio_read_channel_info,
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 1/2] iio: fix possible buffer overflow
  2014-05-03 10:11 ` [PATCH 1/2] " Jonathan Cameron
@ 2014-05-03 16:01   ` Alexandre Belloni
  0 siblings, 0 replies; 4+ messages in thread
From: Alexandre Belloni @ 2014-05-03 16:01 UTC (permalink / raw)
  To: Jonathan Cameron; +Cc: linux-iio, linux-kernel

On 03/05/2014 at 11:11:50 +0100, Jonathan Cameron wrote :
> On 02/05/14 23:40, Alexandre Belloni wrote:
> >Found using smatch:
> >drivers/iio/industrialio-core.c:719 iio_device_add_info_mask_type() error:
> >buffer overflow 'iio_chan_info_postfix' 17 <= 63
> >
> >It was probably never hit because the info_mask_* members are filled by using
> >the BIT() macro with values from the iio_chan_info_enum enum that also serve as
> >the index of the iio_chan_info_postfix array.
> >
> >Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
> See
> ef4b4856593fc3d9d169bededdaf7acf62f83a52
> iio:core: Fix bug in length of event info_mask and catch unhandled bits set in masks.
> 
> Which fixes the same issue in a slightly different way.
> 
> Pretty recent patch though and this was there for ages before that.
> Better to have two fixes than none.
> 

Yeah, I missed your patch and it didn't hit Linus' tree yet. Sorry about
the noise, next time I'll try to remember to check your tree.

-- 
Alexandre Belloni, Free Electrons
Embedded Linux, Kernel and Android engineering
http://free-electrons.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-05-03 16:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-02 22:40 [PATCH 1/2] iio: fix possible buffer overflow Alexandre Belloni
2014-05-02 22:40 ` [PATCH 2/2] " Alexandre Belloni
2014-05-03 10:11 ` [PATCH 1/2] " Jonathan Cameron
2014-05-03 16:01   ` Alexandre Belloni

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).