Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp6309064imm; Mon, 23 Jul 2018 15:37:23 -0700 (PDT) X-Google-Smtp-Source: AAOMgpf9bvnqd72+g3Cn4772lZqzIwd5PzsgOW0YBPBGBmtvyQOfQkbjC9Un+KQft+SuaC4gIidI X-Received: by 2002:a63:8749:: with SMTP id i70-v6mr14098902pge.325.1532385443314; Mon, 23 Jul 2018 15:37:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532385443; cv=none; d=google.com; s=arc-20160816; b=0Ya7S6zDSbWgCS1kEak0d+ieCg5AijsBC98CWUcSr7uQuHZkSgfTuSc3RQGJL5Cuo9 +45Z+AkacjFRTH9nmiqTu2Um/2LB5FNo4ixQUf/q2Fv/z9/VWRNIpIdp9GZ8qj3BxUry hK+84/AzD4994+frpjNtjFedrCDF0clxmn7GrKvcqNexQvI/4mTrH+kdbZgaGkQ/grbX B9M2boBORa/a3zg2pcdoyrYw01/pIP9nh/y1lzOPb08hDcPwd90MEj6HzbHhxUxIT/vK ekP8z7BDsLigw3XnO/YGNRWN7GV4iTXR94FHUH/eHYjHkFuI9DY88a91YpCFIGZdcC/o ZW/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=9z233ThksZMfrIixsN4BxqSmYmhEliqiUbc9JfcfznU=; b=Ztm3/SXhGaF7EcQ6PfAFjrWW2dh0p5taabGoSYFwLZf2ZbgmDV1DFNnrsk4jtg3+Hy nkvblI8HytG5AzPlj2fCE8105lBPXvDM/X9u9N83u9WvRdGevye/1txezRtl6Qh2fxqY 4Vd5dSwO1ifxWfGNmuLrA3CRSn/67VhC+Pp/8XZm52KrZcl7ZkmRmVvzrdRHQuBNJgHR mtvSbSvWmCF8hLqJK6muaWpaEBwkBpxdu2uJu11xzl54tXZquCQOuaJD5W+BwpWJhPvX skzllELTQy4pKmT5sRQeDMPpZTEf+ChGJK8iniLH4hjAJSTPWUfABjiTjDJvpesf6tDn ZALA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=s3s5boXB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3-v6si9577198pgc.122.2018.07.23.15.37.08; Mon, 23 Jul 2018 15:37:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=s3s5boXB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388245AbeGWXjB (ORCPT + 99 others); Mon, 23 Jul 2018 19:39:01 -0400 Received: from mail-pg1-f195.google.com ([209.85.215.195]:41227 "EHLO mail-pg1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388153AbeGWXjB (ORCPT ); Mon, 23 Jul 2018 19:39:01 -0400 Received: by mail-pg1-f195.google.com with SMTP id z8-v6so1368951pgu.8; Mon, 23 Jul 2018 15:35:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=9z233ThksZMfrIixsN4BxqSmYmhEliqiUbc9JfcfznU=; b=s3s5boXBUomMfleXzWYF73ebm8m2B9+1BI4TLAZdkBDH/ADOjDGHELFiMTXWe33sUQ b4BSmyQW1t5sohWLqezbvR7FkFMyMF4RrkvdLn6DwCUZeSY/diTfAmDaXbzjSZO/WZlW If02jCmg5NHxShaJQAZB0E/RxDzzdbfMjnWzEH8ca4th4EGrEUlk7UCBkl4cP7NnciiA TqVWLesyu0ZsR8uEAaM7XhjU3YtCagWnSyhXJho2duBU2VeV/TGgBMj/uqbXTNcz7QHM XTx2lb5j+T/l84NBgLZz7yEKk+pzN3xDBQNKbaQDpUtiVWmsmfbFM/FwLA1jDTtEbQkt DM4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=9z233ThksZMfrIixsN4BxqSmYmhEliqiUbc9JfcfznU=; b=Vx9g5hng2fygcF8Sq8lkvi7kStR31vLcmOrpDxxfAcAlOK/jP0jKDf+75uhsJVJvOy j5ymsqDLp9j2b0YCk1zCymii0W0nU7lVbq0VyJ1r+vg/0Y3N2rcDA/jXVkrOF7aTZMXd io9xozGhbm20Abqov0X9f4rGKZYNoMK1R9UjfZoamdatFJ4Rb+XpufuNWBidxzimibL7 6Uwc5y3YDL1WvgiXP7DKd1FEzL/4SjMCvGL5qGEXR+jz2M06l3HacATvZobhK2eN6NJW vuycyC+xdX9VNokMbCIa3oviMNDkHKPjg6ZhfXglriOjUIZOpqrnHRx3DyURc6CMDWEF IA1w== X-Gm-Message-State: AOUpUlHxpeLtylPZTOYoZRTQQQN+aakyiGUWxb7iSReAwLelSIS/A7TL uK+bCwE1g4lSQXlC4iQRels= X-Received: by 2002:a65:62cd:: with SMTP id m13-v6mr13765667pgv.280.1532385337864; Mon, 23 Jul 2018 15:35:37 -0700 (PDT) Received: from dtor-ws ([2620:0:1000:1511:8de6:27a8:ed13:2ef5]) by smtp.gmail.com with ESMTPSA id a17-v6sm15530632pfg.106.2018.07.23.15.35.36 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 23 Jul 2018 15:35:36 -0700 (PDT) Date: Mon, 23 Jul 2018 15:35:34 -0700 From: Dmitry Torokhov To: Nick Dyer Cc: linux-kernel@vger.kernel.org, linux-input@vger.kernel.org, Chris Healy , Nikita Yushchenko , Lucas Stach , Nick Dyer Subject: Re: [PATCH v1 07/10] Input: atmel_mxt_ts - zero terminate config firmware file Message-ID: <20180723223534.GK100814@dtor-ws> References: <20180720215122.23558-1-nick@shmanahar.org> <20180720215122.23558-7-nick@shmanahar.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180720215122.23558-7-nick@shmanahar.org> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 20, 2018 at 10:51:19PM +0100, Nick Dyer wrote: > From: Nick Dyer > > We use sscanf to parse the configuration file, so it's necessary to zero > terminate the configuration otherwise a truncated file can cause the > parser to run off into uninitialised memory. > > Signed-off-by: Nick Dyer > --- > drivers/input/touchscreen/atmel_mxt_ts.c | 36 +++++++++++++++++------- > 1 file changed, 26 insertions(+), 10 deletions(-) > > diff --git a/drivers/input/touchscreen/atmel_mxt_ts.c b/drivers/input/touchscreen/atmel_mxt_ts.c > index 0ce126e918f1..2d1fddafb7f9 100644 > --- a/drivers/input/touchscreen/atmel_mxt_ts.c > +++ b/drivers/input/touchscreen/atmel_mxt_ts.c > @@ -279,7 +279,7 @@ enum mxt_suspend_mode { > > /* Config update context */ > struct mxt_cfg { > - const u8 *raw; > + u8 *raw; > size_t raw_size; > off_t raw_pos; > > @@ -1451,14 +1451,21 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw) > u32 info_crc, config_crc, calculated_crc; > u16 crc_start = 0; > > - cfg.raw = fw->data; > + /* Make zero terminated copy of the OBP_RAW file */ > + cfg.raw = kzalloc(fw->size + 1, GFP_KERNEL); kmemdup_nul()? I guess config it not that big to be concerned with kmalloc() vs vmalloc() and allocation failures... > + if (!cfg.raw) > + return -ENOMEM; > + > + memcpy(cfg.raw, fw->data, fw->size); > + cfg.raw[fw->size] = '\0'; > cfg.raw_size = fw->size; > > mxt_update_crc(data, MXT_COMMAND_REPORTALL, 1); > > if (strncmp(cfg.raw, MXT_CFG_MAGIC, strlen(MXT_CFG_MAGIC))) { > dev_err(dev, "Unrecognised config file\n"); > - return -EINVAL; > + ret = -EINVAL; > + goto release_raw; > } > > cfg.raw_pos = strlen(MXT_CFG_MAGIC); > @@ -1470,7 +1477,8 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw) > &offset); > if (ret != 1) { > dev_err(dev, "Bad format\n"); > - return -EINVAL; > + ret = -EINVAL; > + goto release_raw; > } > > cfg.raw_pos += offset; > @@ -1478,26 +1486,30 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw) > > if (cfg.info.family_id != data->info->family_id) { > dev_err(dev, "Family ID mismatch!\n"); > - return -EINVAL; > + ret = -EINVAL; > + goto release_raw; > } > > if (cfg.info.variant_id != data->info->variant_id) { > dev_err(dev, "Variant ID mismatch!\n"); > - return -EINVAL; > + ret = -EINVAL; > + goto release_raw; > } > > /* Read CRCs */ > ret = sscanf(cfg.raw + cfg.raw_pos, "%x%n", &info_crc, &offset); > if (ret != 1) { > dev_err(dev, "Bad format: failed to parse Info CRC\n"); > - return -EINVAL; > + ret = -EINVAL; > + goto release_raw; > } > cfg.raw_pos += offset; > > ret = sscanf(cfg.raw + cfg.raw_pos, "%x%n", &config_crc, &offset); > if (ret != 1) { > dev_err(dev, "Bad format: failed to parse Config CRC\n"); > - return -EINVAL; > + ret = -EINVAL; > + goto release_raw; > } > cfg.raw_pos += offset; > > @@ -1530,8 +1542,10 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw) > MXT_INFO_CHECKSUM_SIZE; > cfg.mem_size = data->mem_size - cfg.start_ofs; > cfg.mem = kzalloc(cfg.mem_size, GFP_KERNEL); > - if (!cfg.mem) > - return -ENOMEM; > + if (!cfg.mem) { > + ret = -ENOMEM; > + goto release_raw; > + } > > ret = mxt_prepare_cfg_mem(data, &cfg); > if (ret) > @@ -1570,6 +1584,8 @@ static int mxt_update_cfg(struct mxt_data *data, const struct firmware *fw) > /* T7 config may have changed */ > mxt_init_t7_power_cfg(data); > > +release_raw: > + kfree(cfg.raw); > release_mem: > kfree(cfg.mem); > return ret; > -- > 2.17.1 > -- Dmitry