* [PATCH] gpio-sim: fix memory corruption when adding named lines and unnamed hogs
@ 2023-06-06 5:13 Kent Gibson
2023-06-06 10:01 ` Bartosz Golaszewski
0 siblings, 1 reply; 4+ messages in thread
From: Kent Gibson @ 2023-06-06 5:13 UTC (permalink / raw)
To: linux-kernel, linux-gpio, brgl, linus.walleij; +Cc: Kent Gibson
When constructing the sim, gpio-sim constructs an array of named lines,
sized based on the largest offset of any named line, and then initializes
that array with the names of all lines, including unnamed hogs with higher
offsets. In doing so it writes NULLs beyond the extent of the array.
Add a check that only named lines are used to initialize the array.
Fixes: cb8c474e79be ("gpio: sim: new testing module")
Signed-off-by: Kent Gibson <warthog618@gmail.com>
---
After writing the comment above, and looking at the code again, it may be
clearer to instead check that the offset is within the bounds of the
array. Or do both. Consider that my review.
Cheers,
Kent.
drivers/gpio/gpio-sim.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c
index e5dfd636c63c..923e8ff53128 100644
--- a/drivers/gpio/gpio-sim.c
+++ b/drivers/gpio/gpio-sim.c
@@ -721,8 +721,10 @@ static char **gpio_sim_make_line_names(struct gpio_sim_bank *bank,
if (!line_names)
return ERR_PTR(-ENOMEM);
- list_for_each_entry(line, &bank->line_list, siblings)
- line_names[line->offset] = line->name;
+ list_for_each_entry(line, &bank->line_list, siblings) {
+ if (line->name)
+ line_names[line->offset] = line->name;
+ }
return line_names;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] gpio-sim: fix memory corruption when adding named lines and unnamed hogs
2023-06-06 5:13 [PATCH] gpio-sim: fix memory corruption when adding named lines and unnamed hogs Kent Gibson
@ 2023-06-06 10:01 ` Bartosz Golaszewski
2023-06-06 10:18 ` Kent Gibson
0 siblings, 1 reply; 4+ messages in thread
From: Bartosz Golaszewski @ 2023-06-06 10:01 UTC (permalink / raw)
To: Kent Gibson; +Cc: linux-kernel, linux-gpio, linus.walleij
On Tue, Jun 6, 2023 at 7:13 AM Kent Gibson <warthog618@gmail.com> wrote:
>
> When constructing the sim, gpio-sim constructs an array of named lines,
> sized based on the largest offset of any named line, and then initializes
> that array with the names of all lines, including unnamed hogs with higher
> offsets. In doing so it writes NULLs beyond the extent of the array.
>
> Add a check that only named lines are used to initialize the array.
>
> Fixes: cb8c474e79be ("gpio: sim: new testing module")
> Signed-off-by: Kent Gibson <warthog618@gmail.com>
> ---
>
> After writing the comment above, and looking at the code again, it may be
> clearer to instead check that the offset is within the bounds of the
> array. Or do both. Consider that my review.
>
Like:
if (line->offset <= max_offset)
line_names[line->offset] = line->name;
? If so, then I agree it makes the purpose of the check clearer.
Bart
> Cheers,
> Kent.
>
> drivers/gpio/gpio-sim.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/gpio/gpio-sim.c b/drivers/gpio/gpio-sim.c
> index e5dfd636c63c..923e8ff53128 100644
> --- a/drivers/gpio/gpio-sim.c
> +++ b/drivers/gpio/gpio-sim.c
> @@ -721,8 +721,10 @@ static char **gpio_sim_make_line_names(struct gpio_sim_bank *bank,
> if (!line_names)
> return ERR_PTR(-ENOMEM);
>
> - list_for_each_entry(line, &bank->line_list, siblings)
> - line_names[line->offset] = line->name;
> + list_for_each_entry(line, &bank->line_list, siblings) {
> + if (line->name)
> + line_names[line->offset] = line->name;
> + }
>
> return line_names;
> }
> --
> 2.40.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] gpio-sim: fix memory corruption when adding named lines and unnamed hogs
2023-06-06 10:01 ` Bartosz Golaszewski
@ 2023-06-06 10:18 ` Kent Gibson
2023-06-06 11:33 ` Bartosz Golaszewski
0 siblings, 1 reply; 4+ messages in thread
From: Kent Gibson @ 2023-06-06 10:18 UTC (permalink / raw)
To: Bartosz Golaszewski; +Cc: linux-kernel, linux-gpio, linus.walleij
On Tue, Jun 06, 2023 at 12:01:53PM +0200, Bartosz Golaszewski wrote:
> On Tue, Jun 6, 2023 at 7:13 AM Kent Gibson <warthog618@gmail.com> wrote:
> >
> > When constructing the sim, gpio-sim constructs an array of named lines,
> > sized based on the largest offset of any named line, and then initializes
> > that array with the names of all lines, including unnamed hogs with higher
> > offsets. In doing so it writes NULLs beyond the extent of the array.
> >
> > Add a check that only named lines are used to initialize the array.
> >
> > Fixes: cb8c474e79be ("gpio: sim: new testing module")
> > Signed-off-by: Kent Gibson <warthog618@gmail.com>
> > ---
> >
> > After writing the comment above, and looking at the code again, it may be
> > clearer to instead check that the offset is within the bounds of the
> > array. Or do both. Consider that my review.
> >
>
> Like:
>
> if (line->offset <= max_offset)
> line_names[line->offset] = line->name;
>
> ? If so, then I agree it makes the purpose of the check clearer.
>
Using line_names_size might be even clearer.
So, either that or
if (line->name && (line->offset <= max_offset))
line_names[line->offset] = line->name;
to also not repeat the zeroing that the kcalloc() did.
Too many options. Let me know which you prefer.
Cheers,
Kent.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] gpio-sim: fix memory corruption when adding named lines and unnamed hogs
2023-06-06 10:18 ` Kent Gibson
@ 2023-06-06 11:33 ` Bartosz Golaszewski
0 siblings, 0 replies; 4+ messages in thread
From: Bartosz Golaszewski @ 2023-06-06 11:33 UTC (permalink / raw)
To: Kent Gibson; +Cc: linux-kernel, linux-gpio, linus.walleij
On Tue, Jun 6, 2023 at 12:19 PM Kent Gibson <warthog618@gmail.com> wrote:
>
> On Tue, Jun 06, 2023 at 12:01:53PM +0200, Bartosz Golaszewski wrote:
> > On Tue, Jun 6, 2023 at 7:13 AM Kent Gibson <warthog618@gmail.com> wrote:
> > >
> > > When constructing the sim, gpio-sim constructs an array of named lines,
> > > sized based on the largest offset of any named line, and then initializes
> > > that array with the names of all lines, including unnamed hogs with higher
> > > offsets. In doing so it writes NULLs beyond the extent of the array.
> > >
> > > Add a check that only named lines are used to initialize the array.
> > >
> > > Fixes: cb8c474e79be ("gpio: sim: new testing module")
> > > Signed-off-by: Kent Gibson <warthog618@gmail.com>
> > > ---
> > >
> > > After writing the comment above, and looking at the code again, it may be
> > > clearer to instead check that the offset is within the bounds of the
> > > array. Or do both. Consider that my review.
> > >
> >
> > Like:
> >
> > if (line->offset <= max_offset)
> > line_names[line->offset] = line->name;
> >
> > ? If so, then I agree it makes the purpose of the check clearer.
> >
>
> Using line_names_size might be even clearer.
>
> So, either that or
>
> if (line->name && (line->offset <= max_offset))
> line_names[line->offset] = line->name;
>
Yeah, let's go with this one.
Bart
> to also not repeat the zeroing that the kcalloc() did.
>
> Too many options. Let me know which you prefer.
>
> Cheers,
> Kent.
>
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-06-06 11:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-06 5:13 [PATCH] gpio-sim: fix memory corruption when adding named lines and unnamed hogs Kent Gibson
2023-06-06 10:01 ` Bartosz Golaszewski
2023-06-06 10:18 ` Kent Gibson
2023-06-06 11:33 ` Bartosz Golaszewski
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox