h, this is odd. The only thing I could see here with more study was
that ring_tail is used/updated outside of the rbsl lock in
ld_usb_read(). I couldn't convince myself there wasn't a race against
the interrupt, but I also couldn't think of a way it could break...
--
Kees Cook
_in_buffer from ring_buffer into userspace */
if (copy_to_user(buffer, actual_buffer+1, bytes_to_read)) {
retval = -EFAULT;
goto unlock_exit;
}
I assume what's stored at actual_buffer is bogus and needs validation
somewhere before it's actually used. (If not here, maybe where ever the
write into the buffer originally happens?)
--
Kees Cook
ide-effects:
1) something that checks for ERR_PTRs combined with a high allocation
will think it failed and leak the allocation.
2) something that doesn't check ERR_PTRs might try to stomp on an actual
allocation in that area.
How/why is there memory allocated there, I thought it was intentionally
left unused specifically for ERR_PTR:
Documentation/x86/x86_64/mm.rst:
Start addr| Offset | End addr | Size | VM area description
==
...
ffe0 | -2 MB | | 2 MB | ...unused hole
or is this still a real bug with an invalid dev->hid->rdesc which was
about to fault but usercopy got in the way first?
--
Kees Cook
value[0]),
> dev->hid->rdesc,
> min(dev->hid->rsize, len)))
>
> That 'min' should surely be a 'max'?
>
> Jiri, this looks like it was your code back in 2007.
I think this code is correct and the usercopy reporting fix already in
-mm solves the problem.
--
Kees Cook
INK_STD_HOST_NC_8505:
> ^~~~
> drivers/usb/phy/phy-ab8500-usb.c:370:9: warning: this statement may fall
> through [-Wimplicit-fallthrough=]
>event = UX500_MUSB_RIDA;
>~~^
> drivers/usb/phy/phy-ab8500-usb.c:371:2: note: here
> case USB_LINK_HM_ID
o be working on fixing this. At a
glance, this patch appears to be more complete in that it makes the code
flow more sane too.
Reviewed-by: Kees Cook
-Kees
> ---
> drivers/media/usb/dvb-usb/technisat-usb2.c | 22 ++
> 1 file changed, 10 insertions(+), 12 deletions(-)
&
On Mon, Jan 28, 2019 at 4:12 PM Alexander Popov wrote:
>
> On 23.01.2019 14:03, Kees Cook wrote:
> > This adds a new plugin "stackinit" that attempts to perform unconditional
> > initialization of all stack variables
>
> Hello Kees! Hello everyone!
>
> I
ts
> for both.
GCC is reasonable at this. The main issue, though, was most of these
places were using the variables in multiple case statements, so they
couldn't be limited to a single block (or they'd need to be manually
repeated in each block, which is even more ugly, IMO).
Whatever the consensus, I'm happy to tweak the patch.
Thanks!
--
Kees Cook
On Thu, Jan 24, 2019 at 4:44 AM Jani Nikula wrote:
>
> On Wed, 23 Jan 2019, Edwin Zimmerman wrote:
> > On Wed, 23 Jan 2019, Jani Nikula wrote:
> >> On Wed, 23 Jan 2019, Greg KH wrote:
> >> > On Wed, Jan 23, 2019 at 03:03:47AM -0800, Kees Cook wrote:
>
/lkml.kernel.org/r/CA+55aFykZL+cSBJjBBts7ebEFfyGPdMzTmLSxKnT_29=j94...@mail.gmail.com
Kees Cook (3):
treewide: Lift switch variables out of switches
gcc-plugins: Introduce stackinit plugin
lib: Introduce test_stackinit module
arch/x86/xen/enlighten_pv.c | 7 +-
d
: warning: statement will never be executed
[-Wswitch-unreachable]
siginfo_t si;
^~
Signed-off-by: Kees Cook
---
arch/x86/xen/enlighten_pv.c | 7 ---
drivers/char/pcmcia/cm4000_cs.c | 2 +-
drivers/char/ppdev.c | 20
on't depend on being zero. :)
[1] https://gcc.gnu.org/ml/gcc-patches/2014-06/msg00615.html
[2]
https://lkml.kernel.org/r/CA+55aFykZL+cSBJjBBts7ebEFfyGPdMzTmLSxKnT_29=j94...@mail.gmail.com
Signed-off-by: Kees Cook
---
scripts/Makefile.gcc-plugins | 6 ++
scripts/gcc-plugin
kinit: small_hole_runtime_all ok
test_stackinit: big_hole_runtime_all ok
test_stackinit: u8 ok
test_stackinit: u16 ok
test_stackinit: u32 ok
test_stackinit: u64 ok
test_stackinit: char_array ok
test_stackinit: small_hole ok
test_stackinit: big_hole ok
test_stackinit: user ok
test_stackinit: failures: 4
Signed-off-by:
-zNmZwX4A2FQpadafLfEzK6CC=qpxydaacu1rq...@mail.gmail.com
Cc: Greg Kroah-Hartman
Cc: Felipe Balbi
Cc: Johan Hovold
Cc: "Gustavo A. R. Silva"
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/wusbcore/crypto.c | 16
1 file changed, 8 insertions(+), 8 deletion
7;ve
been try to eliminate it in the kernel. I thought there was a safer
way to use iters now?
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http:/
On Wed, Mar 7, 2018 at 10:38 AM, Himanshu Jha
wrote:
> Use kasprintf instead of combination of kmalloc and sprintf and
> therefore avoid unnecessary computation of string length.
> Also, remove the useless local variable.
>
> Signed-off-by: Himanshu Jha
Reviewed-by: Ke
.
Signed-off-by: Kees Cook
---
include/linux/console.h | 58 +++--
1 file changed, 32 insertions(+), 26 deletions(-)
diff --git a/include/linux/console.h b/include/linux/console.h
index b8920a031a3e..dfd6b0e97855 100644
--- a/include/linux/console.h
+++ b
This is a small series that cleans up struct consw a bit and
prepares it for Control Flow Integrity checking (i.e. Clang's
-fsanitize=cfi).
Thanks!
-Kees
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo in
As done in commit:
724ba8b30b04 ("console/dummy: leave .con_font_get set to NULL")
This drops the dummy .con_font_get(), as it could leave arguments
uninitialized.
Cc: Thomas Winischhofer
Signed-off-by: Kees Cook
---
drivers/usb/misc/sisusbvga/sisusb_con.c | 1 -
1 file changed,
This expands the no-op dummy functions into full prototypes to avoid
indirect call mismatches when running under Control Flow Integrity
checking, like with Clang's -fsanitize=cfi.
Co-Developed-by: Sami Tolvanen
Signed-off-by: Sami Tolvanen
Signed-off-by: Kees Cook
---
drivers/usb
Instead of kmalloc() with manually calculated values followed by
multiple strcpy()/strcat() calls, just fold it all into a single
kasprintf() call.
Signed-off-by: Kees Cook
---
drivers/usb/misc/chaoskey.c | 8 ++--
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/drivers/usb
On Mon, Oct 30, 2017 at 9:29 AM, Bin Liu wrote:
> Now struct musb has the timer (dev_timer) for glue drivers, so let's
> remove the duplicated timer defined in dsps glue driver, and use
> dev_timer defined in struct musb.
>
> Signed-off-by: Bin Liu
Reviewed-by: Kees Cook
f-by: Douglas Anderson
> Cc: Kees Cook
Acked-by: Kees Cook
This matches my automated Coccinelle output for this code. (Actually,
it's better because it fixes the documentation too.) Please feel free
to take the patch into -next in advance of the global replacement.
Thanks!
-Kees
This also uses timer_setup_on_stack() (only in -next). If it's okay,
I'll carry it in the timers tree.
Thanks!
-Kees
On Tue, Oct 24, 2017 at 12:08 PM, Kees Cook wrote:
> In preparation for unconditionally passing the struct timer_list pointer to
> all timer callbacks, switch
Sorry, I sent this one but forgot that timer_setup_on_stack() is in
-next only. If it's okay, I can carry it in the timers tree.
Thanks!
-Kees
On Tue, Oct 24, 2017 at 12:27 PM, Felipe Balbi
wrote:
> Kees Cook writes:
>
>> In preparation for unconditionally passing the
On Tue, Oct 24, 2017 at 10:55 AM, Allen Pais wrote:
> Switch to using the new timer_setup() and from_timer()
> for drivers/hid/*
>
> Cc: Kees Cook
> Signed-off-by: Allen Pais
Yup, this matches what I'd expect for timer_setup() conversion in
these files, thanks!
-Kees
...@lists.infradead.org
Cc: linux-amlo...@lists.infradead.org
Cc: linux-o...@vger.kernel.org
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/mmc/host/atmel-mci.c | 13 ++---
drivers/mmc/host/dw_mmc.c| 21 +
drivers/mmc/host/jz4740_mmc.c| 7
: Kees Cook
---
drivers/usb/usbip/vudc_transfer.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/usbip/vudc_transfer.c
b/drivers/usb/usbip/vudc_transfer.c
index 4cfd475ee865..718f1595a18e 100644
--- a/drivers/usb/usbip/vudc_transfer.c
+++ b/drivers/usb/usbip
Cc: "Gustavo A. R. Silva"
Cc: accessrunner-gene...@lists.sourceforge.net
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/atm/cxacru.c | 23 ---
drivers/usb/atm/speedtch.c | 16
drivers/usb/atm/usbatm.c | 10 +-
3 fil
: Greg Kroah-Hartman
Cc: Chris Brandt
Cc: Julia Lawall
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/host/r8a66597-hcd.c | 27 ++-
drivers/usb/host/r8a66597.h | 11 +--
2 files changed, 23 insertions(+), 15 deletions(-)
diff --git a
Stern
Cc: "Gustavo A. R. Silva"
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/misc/usbtest.c | 22 +++---
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 3639e00a51a0..7f
ucture for devices to use for their per-device
timer.
Cc: Bin Liu
Cc: Greg Kroah-Hartman
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/musb/am35x.c | 24 +++-
drivers/usb/musb/blackfin.c | 13 ++---
drivers/usb/musb/blackfin.h | 2 -
org
Signed-off-by: Kees Cook
---
drivers/usb/isp1760/isp1760-hcd.c | 8 +---
drivers/usb/isp1760/isp1760-udc.c | 7 +++
2 files changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/isp1760/isp1760-hcd.c
b/drivers/usb/isp1760/isp1760-hcd.c
index 8e59e0c02b8a..2b67eb889d41 10
: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/gadget/legacy/zero.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/gadget/legacy/zero.c b/drivers/usb/gadget/legacy/zero.c
index d02e2ce73ea5..3acc589dae98 100644
--- a/drivers/usb/gadget
o minimise any
> particularly complex conflicts.
FWIW, timer_setup() should be preferred over setup_timer().
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
linux-next is concerned, but any non trivial
> conflicts should be mentioned to your upstream maintainer when your tree
> is submitted for merging. You may also want to consider cooperating
> with the maintainer of the conflicting tree to minimise any particularly
> complex conflict
too. When tasklets have their .data field removed, this can be refactored
to call a central function after resolving the correct container_of() for a
separate callback function for timer and tasklet.
Cc: Oliver Neukum
Cc: net...@vger.kernel.org
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
: Philippe Reynes
Cc: Jarod Wilson
Cc: Arvind Yadav
Cc: "Bjørn Mork"
Cc: "Stefan Brüns"
Cc: Alexey Dobriyan
Cc: Greg Ungerer
Cc: linux-usb@vger.kernel.org
Cc: net...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/net/usb/catc.c | 6 +++---
dri
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.
Cc: Felipe Balbi
Cc: Greg Kroah-Hartman
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
ned-off-by: Kees Cook
---
drivers/usb/gadget/udc/snps_udc_core.c | 19 ++-
1 file changed, 6 insertions(+), 13 deletions(-)
diff --git a/drivers/usb/gadget/udc/snps_udc_core.c
b/drivers/usb/gadget/udc/snps_udc_core.c
index 47df99dbaef4..2f5e788dd978 100644
--- a/drivers/usb/
Signed-off-by: Kees Cook
Acked-by: Tony Lindgren
---
drivers/usb/phy/phy-isp1301-omap.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/phy/phy-isp1301-omap.c
b/drivers/usb/phy/phy-isp1301-omap.c
index 8a07ce63b92d..00bcc6c6db17 100644
--- a/drivers/usb/phy
In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.
Cc: Mathias Nyman
Cc: Greg Kroah-Hartman
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
dler;
garmin_data_p->port = port;
garmin_data_p->state = 0;
garmin_data_p->flags = 0;
--
2.7.4
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Signed-off-by: Kees Cook
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
stand-alone.
---
drivers/net/usb/usbnet.c | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/drive
...@vger.kernel.org
Cc: linux-usb@vger.kernel.org
Cc: Thomas Gleixner
Signed-off-by: Kees Cook
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
stand-alone.
---
drivers/hid/hid-multitouch.c | 10 ++---
: Kees Cook
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
stand-alone.
---
drivers/usb/host/xhci-mem.c | 4 ++--
drivers/usb/host/xhci-ring.c | 9 +++--
drivers/usb/host/xhci.h | 2 +-
3 fil
: Thomas Gleixner
Signed-off-by: Kees Cook
---
This requires commit 686fef928bba ("timer: Prepare to change timer
callback argument type") in v4.14-rc3, but should be otherwise
stand-alone.
---
drivers/usb/phy/phy-isp1301-omap.c | 10 +-
1 file changed, 5 insertions(+), 5 deletion
: Raviteja Garimella
Cc: Michal Nazarewicz
Cc: "Gustavo A. R. Silva"
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/gadget/udc/snps_udc_core.c | 14 --
1 file changed, 4 insertions(+), 10 deletions(-)
diff --git a/drivers/usb/gadget/udc/snps_udc_core.c
: linux-o...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/phy/phy-isp1301-omap.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/usb/phy/phy-isp1301-omap.c
b/drivers/usb/phy/phy-isp1301-omap.c
index 5630840b77b1..8a07ce63b92d 100644
--- a/drivers/usb/phy/phy-isp1301-omap.c
+++ b
On Sun, Sep 3, 2017 at 2:12 PM, Michal Nazarewicz wrote:
> On Thu, Aug 31 2017, Kees Cook wrote:
>> With timer initialization made earlier at the start, there is no reason
>> to make del_timer_sync() calls conditionally, there by removing the
>> assignments and tests of the
> + if (!str)
> + return -ENOMEM;
> + }
> + strcpy(str, s);
> if (str[ret - 1] == '\n')
> str[ret - 1] = '\0';
> - kfree(copy);
> *s_copy = str;
> return 0;
> }
> --
> 2.7.4
>
-Kees
--
Kees Cook
Pixel Security
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Silva"
Cc: linux-usb@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/gadget/udc/snps_udc_core.c | 16 +---
1 file changed, 5 insertions(+), 11 deletions(-)
diff --git a/drivers/usb/gadget/udc/snps_udc_core.c
b/drivers/usb/gadget/udc/snps_udc_core.c
index 5460e5ba1c3c..16
: linux-o...@vger.kernel.org
Signed-off-by: Kees Cook
---
drivers/usb/phy/phy-isp1301-omap.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/usb/phy/phy-isp1301-omap.c
b/drivers/usb/phy/phy-isp1301-omap.c
index f7516f5bee21..321679fe240d 100644
--- a/drivers/usb/phy/phy-isp1301-omap.c
+++ b
s driver */
> + dev_err(idev, "Not able to get a minor for this device.\n");
> + usb_set_intfdata (interface, NULL);
> + goto error;
> + }
> + dev->minor = interface->minor;
> +
> + /* let the user kno
This makes sure that the name coming out of configfs cannot be used
accidentally as a format string.
Signed-off-by: Kees Cook
Cc: sta...@vger.kernel.org
---
v2:
- with stable cc; Felipe Balbi.
---
drivers/usb/gadget/tcm_usb_gadget.c |2 +-
1 file changed, 1 insertion(+), 1 deletion
This makes sure that the name coming out of configfs cannot be used
accidentally as a format string.
Signed-off-by: Kees Cook
---
drivers/usb/gadget/tcm_usb_gadget.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/tcm_usb_gadget.c
b/drivers/usb/gadget
56 matches
Mail list logo
