re: spi: spidev: only use up TX/RX bounce buffer space when needed

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Ian,

The patch 9a12bff7c346: "spi: spidev: only use up TX/RX bounce buffer
space when needed" from Feb 16, 2015, has a potential integer overflow
issue.

drivers/spi/spidev.c
   241          total = 0;
   242          tx_total = 0;
   243          rx_total = 0;
   244          for (n = n_xfers, k_tmp = k_xfers, u_tmp = u_xfers;
   245                          n;
   246                          n--, k_tmp++, u_tmp++) {
   247                  k_tmp->len = u_tmp->len;
   248  
   249                  total += k_tmp->len;
                        ^^^^^^^^^^^^^^^^^^^
This is a potential integer overflow but the impact is not serious.

   250                  /* Since the function returns the total length of transfers
   251                   * on success, restrict the total to positive int values to
   252                   * avoid the return value looking like an error.
   253                   */
   254                  if (total > INT_MAX) {
   255                          status = -EMSGSIZE;
   256                          goto done;
   257                  }
   258  
   259                  if (u_tmp->rx_buf) {
   260                          /* this transfer needs space in RX bounce buffer */
   261                          rx_total += k_tmp->len;
                                ^^^^^^^^^^^^^^^^^^^^^^
This one can maybe result in an info leak?  I'm not sure.

   262                          if (rx_total > bufsiz) {
   263                                  status = -EMSGSIZE;
   264                                  goto done;
   265                          }
   266                          k_tmp->rx_buf = rx_buf;
   267                          if (!access_ok(VERIFY_WRITE, (u8 __user *)
   268                                                  (uintptr_t) u_tmp->rx_buf,
   269                                                  u_tmp->len))
   270                                  goto done;
   271                          rx_buf += k_tmp->len;
   272                  }

regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-spi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Linux ARM (vger)]     [Linux ARM MSM]     [Linux Omap]     [Linux Arm]     [Linux Tegra]     [Fedora ARM]     [Linux for Samsung SOC]     [eCos]     [Linux Fastboot]     [Gcc Help]     [Git]     [DCCP]     [IETF Announce]     [Security]     [Linux MIPS]     [Yosemite Campsites]

  Powered by Linux