Re: [PATCH] platform/chrome: cros_ec: fix read overflow in cros_ec_lpc_readmem()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



 On Thu, Dec 9, 2021 at 6:35 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
>
> If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
> bytes" is a very high unsigned value and basically offset is
> accepted.  The second problem is that it uses >= instead of > so this
> means that we are not able to read the very last byte.
>
> Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
>  drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
> index d6306d2a096f..7e1d175def9f 100644
> --- a/drivers/platform/chrome/cros_ec_lpc.c
> +++ b/drivers/platform/chrome/cros_ec_lpc.c
> @@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
>         char *s = dest;
>         int cnt = 0;
>
> -       if (offset >= EC_MEMMAP_SIZE - bytes)
> +       if (offset > EC_MEMMAP_SIZE ||
> +           bytes > EC_MEMMAP_SIZE - offset)

I think that means we have the same problem if offset >
EC_MEMMAP_SIZE, only now that condition isn't detected anymore because
EC_MEMMAP_SIZE - offset is a very large number.
I think what we really want is
        if (offset + bytes > EC_MEMMAP_SIZE)
only without the overflow. Not sure how we can get there without
checking each part.
        if (offset > EC_MEMMAP_SIZE || bytes > EC_MEMMAP_SIZE || bytes
+ offset > EC_MEMMAP_SIZE)
                return -EINVAL;
Maybe that ?
        if ((u64) offset + bytes > EC_MEMMAP_SIZE)
                return -EINVAL;

Thanks,
Guenter

>                 return -EINVAL;
>
>         /* fixed length */
> --
> 2.20.1
>



[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux