diff mbox series

[2/2] usb: typec: tipd: Add an additional overflow check

Message ID 20210914104253.61365-2-sven@svenpeter.dev (mailing list archive)
State Superseded
Headers show
Series [1/2] usb: typec: tipd: Don't read/write more bytes than required | expand

Commit Message

Sven Peter Sept. 14, 2021, 10:42 a.m. UTC
tps6598x_block_read already checks for the maximum length of the read
but tps6598x_block_write does not. Add the symmetric check there as
well.

Signed-off-by: Sven Peter <sven@svenpeter.dev>
---
 drivers/usb/typec/tipd/core.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Greg Kroah-Hartman Sept. 14, 2021, 11 a.m. UTC | #1
On Tue, Sep 14, 2021 at 12:42:53PM +0200, Sven Peter wrote:
> tps6598x_block_read already checks for the maximum length of the read
> but tps6598x_block_write does not. Add the symmetric check there as
> well.
> 
> Signed-off-by: Sven Peter <sven@svenpeter.dev>
> ---
>  drivers/usb/typec/tipd/core.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
> index c18ec3785592..70e2d0d410c9 100644
> --- a/drivers/usb/typec/tipd/core.c
> +++ b/drivers/usb/typec/tipd/core.c
> @@ -139,6 +139,9 @@ static int tps6598x_block_write(struct tps6598x *tps, u8 reg,
>  {
>  	u8 data[TPS_MAX_LEN + 1];
>  
> +	if (WARN_ON(len + 1 > sizeof(data)))
> +		return -EINVAL;

No need to crash anything.  If this is a valid thing for us to check,
let's check it and handle the error, but we should not reboot systems
that are running with panic-on-warn enabled, right?

thanks,

greg k-h
Sven Peter Sept. 14, 2021, 11:18 a.m. UTC | #2
On Tue, Sep 14, 2021, at 13:00, Greg Kroah-Hartman wrote:
> On Tue, Sep 14, 2021 at 12:42:53PM +0200, Sven Peter wrote:
> > tps6598x_block_read already checks for the maximum length of the read
> > but tps6598x_block_write does not. Add the symmetric check there as
> > well.
> > 
> > Signed-off-by: Sven Peter <sven@svenpeter.dev>
> > ---
> >  drivers/usb/typec/tipd/core.c | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
> > index c18ec3785592..70e2d0d410c9 100644
> > --- a/drivers/usb/typec/tipd/core.c
> > +++ b/drivers/usb/typec/tipd/core.c
> > @@ -139,6 +139,9 @@ static int tps6598x_block_write(struct tps6598x *tps, u8 reg,
> >  {
> >  	u8 data[TPS_MAX_LEN + 1];
> >  
> > +	if (WARN_ON(len + 1 > sizeof(data)))
> > +		return -EINVAL;
> 
> No need to crash anything.  If this is a valid thing for us to check,
> let's check it and handle the error, but we should not reboot systems
> that are running with panic-on-warn enabled, right?

Sure, that makes sense. I guess the same point applies to the WARN_ON in
the same check in tps6598x_block_read. I can add a patch to remove that one
to v2 as well.


thanks,


Sven
Greg Kroah-Hartman Sept. 14, 2021, 11:23 a.m. UTC | #3
On Tue, Sep 14, 2021 at 01:18:16PM +0200, Sven Peter wrote:
> 
> 
> On Tue, Sep 14, 2021, at 13:00, Greg Kroah-Hartman wrote:
> > On Tue, Sep 14, 2021 at 12:42:53PM +0200, Sven Peter wrote:
> > > tps6598x_block_read already checks for the maximum length of the read
> > > but tps6598x_block_write does not. Add the symmetric check there as
> > > well.
> > > 
> > > Signed-off-by: Sven Peter <sven@svenpeter.dev>
> > > ---
> > >  drivers/usb/typec/tipd/core.c | 3 +++
> > >  1 file changed, 3 insertions(+)
> > > 
> > > diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
> > > index c18ec3785592..70e2d0d410c9 100644
> > > --- a/drivers/usb/typec/tipd/core.c
> > > +++ b/drivers/usb/typec/tipd/core.c
> > > @@ -139,6 +139,9 @@ static int tps6598x_block_write(struct tps6598x *tps, u8 reg,
> > >  {
> > >  	u8 data[TPS_MAX_LEN + 1];
> > >  
> > > +	if (WARN_ON(len + 1 > sizeof(data)))
> > > +		return -EINVAL;
> > 
> > No need to crash anything.  If this is a valid thing for us to check,
> > let's check it and handle the error, but we should not reboot systems
> > that are running with panic-on-warn enabled, right?
> 
> Sure, that makes sense. I guess the same point applies to the WARN_ON in
> the same check in tps6598x_block_read. I can add a patch to remove that one
> to v2 as well.

That would be great, thanks.

greg k-h
diff mbox series

Patch

diff --git a/drivers/usb/typec/tipd/core.c b/drivers/usb/typec/tipd/core.c
index c18ec3785592..70e2d0d410c9 100644
--- a/drivers/usb/typec/tipd/core.c
+++ b/drivers/usb/typec/tipd/core.c
@@ -139,6 +139,9 @@  static int tps6598x_block_write(struct tps6598x *tps, u8 reg,
 {
 	u8 data[TPS_MAX_LEN + 1];
 
+	if (WARN_ON(len + 1 > sizeof(data)))
+		return -EINVAL;
+
 	if (!tps->i2c_protocol)
 		return regmap_raw_write(tps->regmap, reg, val, len);