From: Michael Ellerman <mpe@ellerman•id.au>
To: Stephen Rothwell <sfr@canb•auug.org.au>,
Greg Kroah-Hartman <gregkh@linuxfoundation•org>,
Jiri Slaby <jslaby@suse•com>, Scott Wood <oss@buserror•net>
Cc: PowerPC Mailing List <linuxppc-dev@lists•ozlabs.org>,
Timur Tabi <timur@kernel•org>
Subject: Re: [PATCH] evh_bytechan: fix out of bounds accesses
Date: Mon, 13 Jan 2020 23:26:00 +1100 [thread overview]
Message-ID: <8736cj8rvr.fsf@mpe.ellerman.id.au> (raw)
In-Reply-To: <20200109183912.5fcb52aa@canb.auug.org.au>
Stephen Rothwell <sfr@canb•auug.org.au> writes:
> ev_byte_channel_send() assumes that its third argument is a 16 byte array.
> Some places where it is called it may not be (or we can't easily tell
> if it is). Newer compilers have started producing warnings about this,
> so make sure we actually pass a 16 byte array.
>
> There may be more elegant solutions to this, but the driver is quite
> old and hasn't been updated in many years.
...
> Fixes: dcd83aaff1c8 ("tty/powerpc: introduce the ePAPR embedded hypervisor byte channel driver")
> Cc: Michael Ellerman <mpe@ellerman•id.au>
> Cc: PowerPC Mailing List <linuxppc-dev@lists•ozlabs.org>
> Signed-off-by: Stephen Rothwell <sfr@canb•auug.org.au>
> ---
> drivers/tty/ehv_bytechan.c | 20 +++++++++++++++++---
> 1 file changed, 17 insertions(+), 3 deletions(-)
>
> I have only build tested this change so it would be good to get some
> response from the PowerPC maintainers/developers.
I've never heard of it, and I have no idea how to test it.
It's not used by qemu, I guess there is/was a Freescale hypervisor that
used it.
But maybe it's time to remove it if it's not being maintained/used by
anyone?
cheers
> diff --git a/drivers/tty/ehv_bytechan.c b/drivers/tty/ehv_bytechan.c
> index 769e0a5d1dfc..546f80c49ae6 100644
> --- a/drivers/tty/ehv_bytechan.c
> +++ b/drivers/tty/ehv_bytechan.c
> @@ -136,6 +136,20 @@ static int find_console_handle(void)
> return 1;
> }
>
> +static unsigned int local_ev_byte_channel_send(unsigned int handle,
> + unsigned int *count, const char *p)
> +{
> + char buffer[EV_BYTE_CHANNEL_MAX_BYTES];
> + unsigned int c = *count;
> +
> + if (c < sizeof(buffer)) {
> + memcpy(buffer, p, c);
> + memset(&buffer[c], 0, sizeof(buffer) - c);
> + p = buffer;
> + }
> + return ev_byte_channel_send(handle, count, p);
> +}
> +
> /*************************** EARLY CONSOLE DRIVER ***************************/
>
> #ifdef CONFIG_PPC_EARLY_DEBUG_EHV_BC
> @@ -154,7 +168,7 @@ static void byte_channel_spin_send(const char data)
>
> do {
> count = 1;
> - ret = ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE,
> + ret = local_ev_byte_channel_send(CONFIG_PPC_EARLY_DEBUG_EHV_BC_HANDLE,
> &count, &data);
> } while (ret == EV_EAGAIN);
> }
> @@ -221,7 +235,7 @@ static int ehv_bc_console_byte_channel_send(unsigned int handle, const char *s,
> while (count) {
> len = min_t(unsigned int, count, EV_BYTE_CHANNEL_MAX_BYTES);
> do {
> - ret = ev_byte_channel_send(handle, &len, s);
> + ret = local_ev_byte_channel_send(handle, &len, s);
> } while (ret == EV_EAGAIN);
> count -= len;
> s += len;
> @@ -401,7 +415,7 @@ static void ehv_bc_tx_dequeue(struct ehv_bc_data *bc)
> CIRC_CNT_TO_END(bc->head, bc->tail, BUF_SIZE),
> EV_BYTE_CHANNEL_MAX_BYTES);
>
> - ret = ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail);
> + ret = local_ev_byte_channel_send(bc->handle, &len, bc->buf + bc->tail);
>
> /* 'len' is valid only if the return code is 0 or EV_EAGAIN */
> if (!ret || (ret == EV_EAGAIN))
> --
> 2.25.0.rc1
>
> --
> Cheers,
> Stephen Rothwell
next prev parent reply other threads:[~2020-01-13 12:28 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-09 7:39 [PATCH] evh_bytechan: fix out of bounds accesses Stephen Rothwell
2020-01-13 12:26 ` Michael Ellerman [this message]
2020-01-13 13:48 ` Timur Tabi
2020-01-13 14:34 ` Laurentiu Tudor
2020-01-13 15:48 ` Timur Tabi
2020-01-14 1:10 ` Michael Ellerman
2020-01-14 9:18 ` Laurentiu Tudor
2020-01-14 11:01 ` Timur Tabi
2020-01-13 16:03 ` Timur Tabi
2020-01-13 20:25 ` Stephen Rothwell
2020-01-14 1:10 ` Timur Tabi
2020-01-14 1:13 ` Timur Tabi
2020-01-14 1:17 ` Scott Wood
2020-01-14 6:31 ` Stephen Rothwell
2020-01-15 12:33 ` Laurentiu Tudor
2020-01-15 13:25 ` Timur Tabi
2020-01-15 19:42 ` Stephen Rothwell
2020-01-15 20:01 ` Scott Wood
2020-01-16 0:37 ` Stephen Rothwell
2020-02-20 23:57 ` Stephen Rothwell
2020-02-25 9:54 ` Laurentiu Tudor
2020-02-25 20:56 ` Stephen Rothwell
2020-02-26 9:43 ` Laurentiu Tudor
2020-01-16 2:29 ` Timur Tabi
2020-01-14 8:29 ` Segher Boessenkool
2020-01-14 11:53 ` Timur Tabi
2020-01-14 12:24 ` Segher Boessenkool
2020-03-17 13:14 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=8736cj8rvr.fsf@mpe.ellerman.id.au \
--to=mpe@ellerman$(echo .)id.au \
--cc=gregkh@linuxfoundation$(echo .)org \
--cc=jslaby@suse$(echo .)com \
--cc=linuxppc-dev@lists$(echo .)ozlabs.org \
--cc=oss@buserror$(echo .)net \
--cc=sfr@canb$(echo .)auug.org.au \
--cc=timur@kernel$(echo .)org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox