LinuxLists.cc - Re: [PATCH] input: spi: Driver for SPI data stream driven vibrator

2010-11-07 23:53:28

Subject: Re: [PATCH] input: spi: Driver for SPI data stream driven vibrator

> + datalen = p->custom_len * sizeof(p->custom_data[0]);

signed

> + if (datalen > MAX_EFFECT_SIZE) {

unsigned

> + memcpy(einfo->buf, p->custom_data, datalen);

ungood

2010-11-08 11:08:57

by Ilkka Koskinen

[permalink] [raw]

Subject: RE: [PATCH] input: spi: Driver for SPI data stream driven vibrator

Hi,

>From: ext Alan Cox [mailto:[email protected]]
>Sent: 08 November, 2010 01:52
>
>> + datalen = p->custom_len * sizeof(p->custom_data[0]);
>
>signed
>
>> + if (datalen > MAX_EFFECT_SIZE) {
>
>unsigned

It should be unsigned. I'll fix it.

>> + memcpy(einfo->buf, p->custom_data, datalen);
>
>ungood

Yep, that's clearly wrong too. Should be copy_from_user() I suppose.

Thanks, Ilkka

2010-11-08 11:40:34

by Alan

[permalink] [raw]

Subject: Re: [PATCH] input: spi: Driver for SPI data stream driven vibrator

On Mon, 8 Nov 2010 12:08:07 +0100
<[email protected]> wrote:

> Hi,
>
> >From: ext Alan Cox [mailto:[email protected]]
> >Sent: 08 November, 2010 01:52
> >
> >> + datalen = p->custom_len * sizeof(p->custom_data[0]);
> >
> >signed
> >
> >> + if (datalen > MAX_EFFECT_SIZE) {
> >
> >unsigned
>
> It should be unsigned. I'll fix it.
>
> >> + memcpy(einfo->buf, p->custom_data, datalen);
> >
> >ungood
>
> Yep, that's clearly wrong too. Should be copy_from_user() I suppose.

That I hadn't considered - and I'm not sure whether the caller is passed
a kernel copy or not. The problem I was looking at was just the signed
case

datalen < 0
if (datalen > MAX ..)
Nope

memcpy(kernel, mysource, vastly more than intended (unsigned))

2010-11-08 12:19:21

by Ilkka Koskinen

[permalink] [raw]

Subject: RE: [PATCH] input: spi: Driver for SPI data stream driven vibrator

>From: ext Alan Cox [mailto:[email protected]]
>Sent: 08 November, 2010 13:39
>
>On Mon, 8 Nov 2010 12:08:07 +0100
><[email protected]> wrote:
>
>> Hi,
>>
>> >From: ext Alan Cox [mailto:[email protected]]
>> >Sent: 08 November, 2010 01:52
>> >
>> >> + datalen = p->custom_len * sizeof(p->custom_data[0]);
>> >
>> >signed
>> >
>> >> + if (datalen > MAX_EFFECT_SIZE) {
>> >
>> >unsigned
>>
>> It should be unsigned. I'll fix it.
>>
>> >> + memcpy(einfo->buf, p->custom_data, datalen);
>> >
>> >ungood
>>
>> Yep, that's clearly wrong too. Should be copy_from_user() I suppose.
>
>That I hadn't considered - and I'm not sure whether the caller is passed
>a kernel copy or not. The problem I was looking at was just the signed
>case
>
> datalen < 0
> if (datalen > MAX ..)
> Nope
>
> memcpy(kernel, mysource, vastly more than intended (unsigned))

Ah, I got it now. Thanks for clarification :)

Cheers, Ilkka