Re: [PATCH] staging: speakup: fix wraparound in uaccess length check

From: Jann Horn
Date: Sat Jul 07 2018 - 04:23:39 EST

Next message: Mike Galbraith: "Re: [PATCH 1/7] mm: allocate mm_cpumask dynamically based on nr_cpu_ids"
Previous message: Lukas Wunner: "Re: [PATCH] thunderbolt: fix small typo in variable name"
In reply to: Samuel Thibault: "Re: [PATCH] staging: speakup: fix wraparound in uaccess length check"
Next in thread: Samuel Thibault: "Re: [PATCH] staging: speakup: fix wraparound in uaccess length check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Jul 7, 2018 at 10:13 AM Samuel Thibault
<samuel.thibault@xxxxxxxxxxxx> wrote:
>
> Jann Horn, le sam. 07 juil. 2018 03:53:44 +0200, a ecrit:
> > @@ -257,6 +257,8 @@ static ssize_t softsynthx_read(struct file *fp, char __user *buf, size_t count,
> > 0x80 | (ch & 0x3f)
> > };
> >
> > + if (chars_sent + 2 > count)
> > + break;
> > if (copy_to_user(cp, s, sizeof(s)))
> > return -EFAULT;
>
> Err, but then we have lost 'ch' that was consumed by the
> synth_buffer_getc() call, so the fix seems wrong to me.

Oh. Whoops.

So that means I'd need to first synth_buffer_peek(), then
synth_buffer_get() afterwards (and discard the result that time)? But
there are also no locks held at the moment the code is in there, which
could cause that approach to lead to inconsistent results... do you
want me to resend with synth_buffer_peek() and an additional mutex
that is held throughout softsynthx_read()? Or should I rewrite the
patch to be simple and just bail out on `count < 3`?

Next message: Mike Galbraith: "Re: [PATCH 1/7] mm: allocate mm_cpumask dynamically based on nr_cpu_ids"
Previous message: Lukas Wunner: "Re: [PATCH] thunderbolt: fix small typo in variable name"
In reply to: Samuel Thibault: "Re: [PATCH] staging: speakup: fix wraparound in uaccess length check"
Next in thread: Samuel Thibault: "Re: [PATCH] staging: speakup: fix wraparound in uaccess length check"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]