If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
bytes" is a very high unsigned value and basically offset is
accepted. The second problem is that it uses >= instead of > so this
means that we are not able to read the very last byte.
Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
index d6306d2a096f..7e1d175def9f 100644
--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
char *s = dest;
int cnt = 0;
- if (offset >= EC_MEMMAP_SIZE - bytes)
+ if (offset > EC_MEMMAP_SIZE ||
+ bytes > EC_MEMMAP_SIZE - offset)
return -EINVAL;
/* fixed length */
--
2.20.1
On Thu, Dec 9, 2021 at 6:35 AM Dan Carpenter <[email protected]> wrote:
>
> If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
> bytes" is a very high unsigned value and basically offset is
> accepted. The second problem is that it uses >= instead of > so this
> means that we are not able to read the very last byte.
>
> Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
> index d6306d2a096f..7e1d175def9f 100644
> --- a/drivers/platform/chrome/cros_ec_lpc.c
> +++ b/drivers/platform/chrome/cros_ec_lpc.c
> @@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
> char *s = dest;
> int cnt = 0;
>
> - if (offset >= EC_MEMMAP_SIZE - bytes)
> + if (offset > EC_MEMMAP_SIZE ||
> + bytes > EC_MEMMAP_SIZE - offset)
I think that means we have the same problem if offset >
EC_MEMMAP_SIZE, only now that condition isn't detected anymore because
EC_MEMMAP_SIZE - offset is a very large number.
I think what we really want is
if (offset + bytes > EC_MEMMAP_SIZE)
only without the overflow. Not sure how we can get there without
checking each part.
if (offset > EC_MEMMAP_SIZE || bytes > EC_MEMMAP_SIZE || bytes
+ offset > EC_MEMMAP_SIZE)
return -EINVAL;
Maybe that ?
if ((u64) offset + bytes > EC_MEMMAP_SIZE)
return -EINVAL;
Thanks,
Guenter
> return -EINVAL;
>
> /* fixed length */
> --
> 2.20.1
>
On Tue, Dec 14, 2021 at 03:02:41PM -0800, Guenter Roeck wrote:
> On Thu, Dec 9, 2021 at 6:35 AM Dan Carpenter <[email protected]> wrote:
> >
> > If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
> > bytes" is a very high unsigned value and basically offset is
> > accepted. The second problem is that it uses >= instead of > so this
> > means that we are not able to read the very last byte.
> >
> > Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
> > Signed-off-by: Dan Carpenter <[email protected]>
> > ---
> > drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
> > index d6306d2a096f..7e1d175def9f 100644
> > --- a/drivers/platform/chrome/cros_ec_lpc.c
> > +++ b/drivers/platform/chrome/cros_ec_lpc.c
> > @@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
> > char *s = dest;
> > int cnt = 0;
> >
> > - if (offset >= EC_MEMMAP_SIZE - bytes)
> > + if (offset > EC_MEMMAP_SIZE ||
> > + bytes > EC_MEMMAP_SIZE - offset)
>
> I think that means we have the same problem if offset >
> EC_MEMMAP_SIZE, only now that condition isn't detected anymore because
> EC_MEMMAP_SIZE - offset is a very large number.
That's the bug which my patch addresses. (My patch is option 1).
> I think what we really want is
> if (offset + bytes > EC_MEMMAP_SIZE)
> only without the overflow. Not sure how we can get there without
> checking each part.
> if (offset > EC_MEMMAP_SIZE || bytes > EC_MEMMAP_SIZE || bytes
> + offset > EC_MEMMAP_SIZE)
That is another solution which works.
> return -EINVAL;
> Maybe that ?
> if ((u64) offset + bytes > EC_MEMMAP_SIZE)
> return -EINVAL;
A third viable solution.
I generally prefer option 2 to option 3. I generally use that in code
that I'm writing. There was one time Linus said he liked option 1
which I used here because it works regardless of the types or the valu
of EC_MEMMAP_SIZE. This code already used the bytes > size - offset
idiom so I kept it as similar as possible.
regards,
dan carpenter
On Wed, Dec 15, 2021 at 12:20 AM Dan Carpenter <[email protected]> wrote:
>
> On Tue, Dec 14, 2021 at 03:02:41PM -0800, Guenter Roeck wrote:
> > On Thu, Dec 9, 2021 at 6:35 AM Dan Carpenter <[email protected]> wrote:
> > >
> > > If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
> > > bytes" is a very high unsigned value and basically offset is
> > > accepted. The second problem is that it uses >= instead of > so this
> > > means that we are not able to read the very last byte.
> > >
> > > Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
> > > Signed-off-by: Dan Carpenter <[email protected]>
> > > ---
> > > drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
> > > 1 file changed, 2 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
> > > index d6306d2a096f..7e1d175def9f 100644
> > > --- a/drivers/platform/chrome/cros_ec_lpc.c
> > > +++ b/drivers/platform/chrome/cros_ec_lpc.c
> > > @@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
> > > char *s = dest;
> > > int cnt = 0;
> > >
> > > - if (offset >= EC_MEMMAP_SIZE - bytes)
> > > + if (offset > EC_MEMMAP_SIZE ||
> > > + bytes > EC_MEMMAP_SIZE - offset)
> >
> > I think that means we have the same problem if offset >
> > EC_MEMMAP_SIZE, only now that condition isn't detected anymore because
> > EC_MEMMAP_SIZE - offset is a very large number.
>
> That's the bug which my patch addresses. (My patch is option 1).
>
Ah yes, for some reason I overlooked the "offset > EC_MEMMAP_SIZE"
part in your patch. Sorry, I must have been blind.
Reviewed-by: Guenter Roeck <[email protected]>
Guenter
> > I think what we really want is
> > if (offset + bytes > EC_MEMMAP_SIZE)
> > only without the overflow. Not sure how we can get there without
> > checking each part.
> > if (offset > EC_MEMMAP_SIZE || bytes > EC_MEMMAP_SIZE || bytes
> > + offset > EC_MEMMAP_SIZE)
>
> That is another solution which works.
>
> > return -EINVAL;
> > Maybe that ?
> > if ((u64) offset + bytes > EC_MEMMAP_SIZE)
> > return -EINVAL;
>
> A third viable solution.
>
> I generally prefer option 2 to option 3. I generally use that in code
> that I'm writing. There was one time Linus said he liked option 1
> which I used here because it works regardless of the types or the valu
> of EC_MEMMAP_SIZE. This code already used the bytes > size - offset
> idiom so I kept it as similar as possible.
>
> regards,
> dan carpenter
>