From: "Heiko Stübner" <heiko.stuebner@bq.com>
To: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: linux-input@vger.kernel.org, Dirk Behme <dirk.behme@de.bosch.com>,
Oleksij Rempel <external.Oleksij.Rempel@de.bosch.com>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] Input: zforce_ts - fix playload length check
Date: Mon, 27 Jul 2015 23:35:23 +0200 [thread overview]
Message-ID: <9298777.SjHtUzmdFZ@diego> (raw)
In-Reply-To: <20150727210619.GA2825@dtor-ws>
Hi Dmitry,
Am Montag, 27. Juli 2015, 14:06:19 schrieb Dmitry Torokhov:
> Commit 7d01cd261c76f95913c81554a751968a1d282d3a ("Input: zforce - don't
> overwrite the stack") attempted to add a check for payload size being too
> large for the supplied buffer. Unfortunately with the currently selected
> buffer size the comparison is always false as buffer size is larger than
> the value a single byte can hold, and that results in compiler warnings.
> Additionally the check was incorrect as it was not accounting for the
> already read 2 bytes of data stored in the buffer.
>
> Fixes: 7d01cd261c76f95913c81554a751968a1d282d3a
> Reported-by: kbuild test robot <fengguang.wu@intel.com>
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> ---
>
> This seems to shut up my GCC, I wonder if it is going to work gfor
> everyone or we better add BUILD_BUG_ON(FRAME_MAXSIZE < 257) and a
> comment and remove check.
needed a bit to get to know my old zforce driver again ;-)
I may be blind, but currently I fail to see what problem the original patch
actually tries to fix.
buf[PAYLOAD_LENGTH] is an u8, so the max value it can contain is 255. The
i2c_master_recv reads buf[PAYLOAD_LENGTH]-bytes into the buffer starting at
buf[PAYLOAD_BODY] (= buf[2]). So it reads at max 255 bytes into a 257 byte big
buffer starting at index 2.
zforce_read_packet, also is an internal function used only by the interrupt
handler, which always only calls it with a buffer of FRAME_MAXSIZE size.
The original patch said "If we get a corrupted packet with PAYLOAD_LENGTH >
FRAME_MAXSIZE, we will silently overwrite the stack." but payload_length can
never actually be greater than the buffer size?
Very confused
Heiko
> drivers/input/touchscreen/zforce_ts.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/input/touchscreen/zforce_ts.c
> b/drivers/input/touchscreen/zforce_ts.c index 2554efd..542ff02 100644
> --- a/drivers/input/touchscreen/zforce_ts.c
> +++ b/drivers/input/touchscreen/zforce_ts.c
> @@ -441,7 +441,9 @@ static int zforce_read_packet(struct zforce_ts *ts, u8
> *buf) goto unlock;
> }
>
> - if (buf[PAYLOAD_LENGTH] == 0 || buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE) {
> + if (buf[PAYLOAD_LENGTH] == 0 ||
> + (FRAME_MAXSIZE - 2 < 255 &&
> + buf[PAYLOAD_LENGTH] > FRAME_MAXSIZE - 2)) {
> dev_err(&client->dev, "invalid payload length: %d\n",
> buf[PAYLOAD_LENGTH]);
> ret = -EIO;
next prev parent reply other threads:[~2015-07-27 21:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-27 21:06 [PATCH] Input: zforce_ts - fix playload length check Dmitry Torokhov
2015-07-27 21:35 ` Heiko Stübner [this message]
2015-07-27 21:44 ` Dmitry Torokhov
2015-07-27 21:53 ` Heiko Stübner
2015-07-27 22:16 ` Dmitry Torokhov
2015-07-28 10:23 ` Geert Uytterhoeven
2015-07-28 11:28 ` Dirk Behme
2015-07-28 16:30 ` Dmitry Torokhov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9298777.SjHtUzmdFZ@diego \
--to=heiko.stuebner@bq.com \
--cc=dirk.behme@de.bosch.com \
--cc=dmitry.torokhov@gmail.com \
--cc=external.Oleksij.Rempel@de.bosch.com \
--cc=linux-input@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox