linux.git/drivers/comedi, branch v5.18 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git comedi: drivers: ni_routes: Use strcmp() instead of memcmp() 2022-02-25T11:08:52+00:00 Kees Cook keescook@chromium.org 2022-02-15T17:10:17+00:00 3bc93c7bded0cf361e58af160e9b23996c10a1a1 The family and device comparisons were using memcmp(), but this could lead to Out-of-bounds reads when the length was larger than the buffers being compared. Since these appear to always be NUL-terminated strings, just use strcmp() instead. This was found with Clang under LTO: [ 92.405851][ T1] kernel BUG at lib/string_helpers.c:980! ... [ 92.409141][ T1] RIP: 0010:fortify_panic (fbdev.c:?) ... [ 92.410056][ T1] ni_assign_device_routes (fbdev.c:?) [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) [ 92.410056][ T1] ni_routes_unittest (ni_routes_test.c:?) [ 92.410056][ T1] ? unittest_enter (fbdev.c:?) [ 92.410056][ T1] __initstub__kmod_ni_routes_test__505_604_ni_routes_unittest6 (fbdev.c:?) [ 92.410056][ T1] do_one_initcall (fbdev.c:?) Link: https://lore.kernel.org/lkml/20220210072821.GD4074@xsang-OptiPlex-9020 Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information") Cc: Ian Abbott <abbotti@mev.co.uk> Cc: H Hartley Sweeten <hsweeten@visionengravers.com> Cc: Spencer E. Olson <olsonse@umich.edu> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Masahiro Yamada <masahiroy@kernel.org> Cc: Lee Jones <lee.jones@linaro.org> Reported-by: kernel test robot <oliver.sang@intel.com> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20220215171017.1247291-1-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The family and device comparisons were using memcmp(), but this could
lead to Out-of-bounds reads when the length was larger than the
buffers being compared. Since these appear to always be NUL-terminated
strings, just use strcmp() instead.

This was found with Clang under LTO:

[ 92.405851][    T1] kernel BUG at lib/string_helpers.c:980!
...
[ 92.409141][ T1] RIP: 0010:fortify_panic (fbdev.c:?)
...
[ 92.410056][ T1] ni_assign_device_routes (fbdev.c:?)
[ 92.410056][ T1] ? unittest_enter (fbdev.c:?)
[ 92.410056][ T1] ni_routes_unittest (ni_routes_test.c:?)
[ 92.410056][ T1] ? unittest_enter (fbdev.c:?)
[ 92.410056][ T1] __initstub__kmod_ni_routes_test__505_604_ni_routes_unittest6 (fbdev.c:?)
[ 92.410056][ T1] do_one_initcall (fbdev.c:?)

Link: https://lore.kernel.org/lkml/20220210072821.GD4074@xsang-OptiPlex-9020
Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information")
Cc: Ian Abbott <abbotti@mev.co.uk>
Cc: H Hartley Sweeten <hsweeten@visionengravers.com>
Cc: Spencer E. Olson <olsonse@umich.edu>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Lee Jones <lee.jones@linaro.org>
Reported-by: kernel test robot <oliver.sang@intel.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220215171017.1247291-1-keescook@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: remove redundant assignment to variable buffer_config 2022-02-08T11:12:02+00:00 Colin Ian King colin.i.king@gmail.com 2022-01-30T23:29:10+00:00 9940a7569d4ca7d8530a488b2e81ea1da86a3694 Variable buffer_config is being assigned a value that is never read, it is being re-assigned later on. The assignment is redundant and can be removed. Signed-off-by: Colin Ian King <colin.i.king@gmail.com> Link: https://lore.kernel.org/r/20220130232910.9313-1-colin.i.king@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Variable buffer_config is being assigned a value that is never read, it
is being re-assigned later on. The assignment is redundant and can be
removed.

Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Link: https://lore.kernel.org/r/20220130232910.9313-1-colin.i.king@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: das16: Use struct_size() helper in comedi_alloc_spriv() 2022-01-26T13:16:16+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2022-01-25T23:25:25+00:00 ee8ed0141d532d662407f70d65111a42fe2addae Make use of the struct_size() helper instead of an open-coded version, in order to avoid any potential type mistakes or integer overflows that, in the worst scenario, could lead to heap overflows. Also, address the following sparse warnings: drivers/comedi/drivers/das16.c:964:45: warning: using sizeof on a flexible structure drivers/comedi/drivers/das16.c:998:45: warning: using sizeof on a flexible structure Link: https://github.com/KSPP/linux/issues/174 Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Link: https://lore.kernel.org/r/20220125232525.GA80228@embeddedor Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Make use of the struct_size() helper instead of an open-coded version,
in order to avoid any potential type mistakes or integer overflows that,
in the worst scenario, could lead to heap overflows.

Also, address the following sparse warnings:
drivers/comedi/drivers/das16.c:964:45: warning: using sizeof on a flexible structure
drivers/comedi/drivers/das16.c:998:45: warning: using sizeof on a flexible structure

Link: https://github.com/KSPP/linux/issues/174
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/20220125232525.GA80228@embeddedor
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: Move "comedi_isadma.h" to <linux/comedi/comedi_isadma.h> 2021-11-26T15:48:59+00:00 Ian Abbott abbotti@mev.co.uk 2021-11-17T12:06:03+00:00 fe7a4f5b9548456246ffda143bab59922acda9fd Some of the header files in "drivers/comedi/drivers/" are common enough to be useful to out-of-tree comedi driver modules. Using them for out-of-tree module builds is hampered by the headers being outside the "include/" directory so it is desirable to move them. There are about a half a dozen or so Comedi device drivers that use the "comedi_isadma" module to add ISA DMA support. The macros and declarations to use that module are in the "comedi_isadma.h" header file in the comedi "drivers" directory. Move it into "include/linux/comedi/". Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/20211117120604.117740-6-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Some of the header files in "drivers/comedi/drivers/" are common enough
to be useful to out-of-tree comedi driver modules.  Using them for
out-of-tree module builds is hampered by the headers being outside the
"include/" directory so it is desirable to move them.

There are about a half a dozen or so Comedi device drivers that use the
"comedi_isadma" module to add ISA DMA support.  The macros and
declarations to use that module are in the "comedi_isadma.h" header file
in the comedi "drivers" directory.  Move it into
"include/linux/comedi/".

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211117120604.117740-6-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: Move "comedi_8254.h" to <linux/comedi/comedi_8254.h> 2021-11-26T15:48:59+00:00 Ian Abbott abbotti@mev.co.uk 2021-11-17T12:06:02+00:00 44fb7affcfa4e968e9c2ede023ef0e15f06d8209 Some of the header files in "drivers/comedi/drivers/" are common enough to be useful to out-of-tree comedi driver modules. Using them for out-of-tree module builds is hampered by the headers being outside the "include/" directory so it is desirable to move them. There are about a couple of dozen or so Comedi device drivers that use the "comedi_8254" module to add timers based on the venerable 8254 Programmable Interval Timer chip. The macros and declarations to use that module are in the "comedi_8254.h" header file in the comedi "drivers" directory. Move it into "include/linux/comedi/". Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/20211117120604.117740-5-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Some of the header files in "drivers/comedi/drivers/" are common enough
to be useful to out-of-tree comedi driver modules.  Using them for
out-of-tree module builds is hampered by the headers being outside the
"include/" directory so it is desirable to move them.

There are about a couple of dozen or so Comedi device drivers that use
the "comedi_8254" module to add timers based on the venerable 8254
Programmable Interval Timer chip.  The macros and declarations to use
that module are in the "comedi_8254.h" header file in the comedi
"drivers" directory.  Move it into "include/linux/comedi/".

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211117120604.117740-5-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: Move and rename "8255.h" to <linux/comedi/comedi_8255.h> 2021-11-26T15:48:59+00:00 Ian Abbott abbotti@mev.co.uk 2021-11-17T12:06:01+00:00 631e272b12075b60f7c7fc4f84f937d78a699844 Some of the header files in "drivers/comedi/drivers/" are common enough to be useful to out-of-tree comedi driver modules. Using them for out-of-tree module builds is hampered by the headers being outside the "include/" directory so it is desirable to move them. There are about a couple of dozen Comedi device drivers that use the "comedi_8255" module to add digital I/O subdevices based on the venerable 8255 Programmable Peripheral Interface chip. The macros and declarations to use that module are in the "8255.h" header file in the comedi "drivers" directory. Move it into "include/linux/comedi/" and rename it to "comedi_8255.h" for naming consistency reasons. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/20211117120604.117740-4-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Some of the header files in "drivers/comedi/drivers/" are common enough
to be useful to out-of-tree comedi driver modules.  Using them for
out-of-tree module builds is hampered by the headers being outside the
"include/" directory so it is desirable to move them.

There are about a couple of dozen Comedi device drivers that use the
"comedi_8255" module to add digital I/O subdevices based on the
venerable 8255 Programmable Peripheral Interface chip.  The macros and
declarations to use that module are in the "8255.h" header file in the
comedi "drivers" directory.  Move it into "include/linux/comedi/" and
rename it to "comedi_8255.h" for naming consistency reasons.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211117120604.117740-4-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: ni_routing: tools: Update due to moved COMEDI headers 2021-11-26T15:48:59+00:00 Ian Abbott abbotti@mev.co.uk 2021-11-17T12:06:00+00:00 55d0f80ecf0be13c2fdfa0c0917436f88f6502ff Building of the tools for converting the NI routing information between CSV files (for maintenance) and C files (for building) was broken by the move of the main COMEDI header files to "include/uapi/linux/" and "include/linux/". (These tools are not built as part of the normal kernel build process.) Fix it in the Makefile. A slight niggle is that `#include <linux/comedi.h>` needs to work when compiling the `convert_c_to_py` program, but it cannot use a `-I` option referring to the "uapi" include directory because that interferes with inclusion of other system headers. So it uses `-I.` and makes a local copy (actually a symbolic link) as "./linux/comedi.h". Also remove some unneeded cruft such as the `-D"BIT(x)=(1<<(x))"` preprocessor flag. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/20211117120604.117740-3-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Building of the tools for converting the NI routing information between
CSV files (for maintenance) and C files (for building) was broken by the
move of the main COMEDI header files to "include/uapi/linux/" and
"include/linux/".  (These tools are not built as part of the normal
kernel build process.)  Fix it in the Makefile.

A slight niggle is that `#include <linux/comedi.h>` needs to work when
compiling the `convert_c_to_py` program, but it cannot use a `-I` option
referring to the "uapi" include directory because that interferes with
inclusion of other system headers.  So it uses `-I.` and makes a local
copy (actually a symbolic link) as "./linux/comedi.h".

Also remove some unneeded cruft such as the `-D"BIT(x)=(1<<(x))"`
preprocessor flag.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211117120604.117740-3-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: Move the main COMEDI headers 2021-11-26T15:48:59+00:00 Ian Abbott abbotti@mev.co.uk 2021-11-17T12:05:59+00:00 df0e68c1e9945e2ee86d266ce45597bbd8299b06 Move the main COMEDI driver headers out of "drivers/comedi/" into new directory "include/linux/comedi/". These are "comedidev.h", "comedilib.h", "comedi_pci.h", "comedi_pcmcia.h", and "comedi_usb.h". Additionally, move the user-space API header "comedi.h" into "include/uapi/linux/" and add "WITH Linux-syscall-note" to its SPDX-License-Identifier. Update the "COMEDI DRIVERS" section of the MAINTAINERS file to account for these changes. Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Link: https://lore.kernel.org/r/20211117120604.117740-2-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Move the main COMEDI driver headers out of "drivers/comedi/" into new
directory "include/linux/comedi/".  These are "comedidev.h",
"comedilib.h", "comedi_pci.h", "comedi_pcmcia.h", and "comedi_usb.h".
Additionally, move the user-space API header "comedi.h" into
"include/uapi/linux/" and add "WITH Linux-syscall-note" to its
SPDX-License-Identifier.

Update the "COMEDI DRIVERS" section of the MAINTAINERS file to account
for these changes.

Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Link: https://lore.kernel.org/r/20211117120604.117740-2-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: dt9812: fix DMA buffers on stack 2021-10-30T08:54:47+00:00 Johan Hovold johan@kernel.org 2021-10-27T09:35:29+00:00 536de747bc48262225889a533db6650731ab25d3 USB transfer buffers are typically mapped for DMA and must not be allocated on the stack or transfers will fail. Allocate proper transfer buffers in the various command helpers and return an error on short transfers instead of acting on random stack data. Note that this also fixes a stack info leak on systems where DMA is not used as 32 bytes are always sent to the device regardless of how short the command is. Fixes: 63274cd7d38a ("Staging: comedi: add usb dt9812 driver") Cc: stable@vger.kernel.org # 2.6.29 Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20211027093529.30896-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
USB transfer buffers are typically mapped for DMA and must not be
allocated on the stack or transfers will fail.

Allocate proper transfer buffers in the various command helpers and
return an error on short transfers instead of acting on random stack
data.

Note that this also fixes a stack info leak on systems where DMA is not
used as 32 bytes are always sent to the device regardless of how short
the command is.

Fixes: 63274cd7d38a ("Staging: comedi: add usb dt9812 driver")
Cc: stable@vger.kernel.org      # 2.6.29
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211027093529.30896-3-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
comedi: ni_usb6501: fix NULL-deref in command paths 2021-10-30T08:54:47+00:00 Johan Hovold johan@kernel.org 2021-10-27T09:35:28+00:00 907767da8f3a925b060c740e0b5c92ea7dbec440 The driver uses endpoint-sized USB transfer buffers but had no sanity checks on the sizes. This can lead to zero-size-pointer dereferences or overflowed transfer buffers in ni6501_port_command() and ni6501_counter_command() if a (malicious) device has smaller max-packet sizes than expected (or when doing descriptor fuzz testing). Add the missing sanity checks to probe(). Fixes: a03bb00e50ab ("staging: comedi: add NI USB-6501 support") Cc: stable@vger.kernel.org # 3.18 Cc: Luca Ellero <luca.ellero@brickedbrain.com> Reviewed-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Johan Hovold <johan@kernel.org> Link: https://lore.kernel.org/r/20211027093529.30896-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
The driver uses endpoint-sized USB transfer buffers but had no sanity
checks on the sizes. This can lead to zero-size-pointer dereferences or
overflowed transfer buffers in ni6501_port_command() and
ni6501_counter_command() if a (malicious) device has smaller max-packet
sizes than expected (or when doing descriptor fuzz testing).

Add the missing sanity checks to probe().

Fixes: a03bb00e50ab ("staging: comedi: add NI USB-6501 support")
Cc: stable@vger.kernel.org      # 3.18
Cc: Luca Ellero <luca.ellero@brickedbrain.com>
Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211027093529.30896-2-johan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>