[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ae1f9a0a-2058-4126-b716-44dc54449c4d@kadam.mountain>
Date: Tue, 24 Oct 2023 09:08:26 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Christophe JAILLET <christophe.jaillet@...adoo.fr>
Cc: rafael@...nel.org, lenb@...nel.org, linux-acpi@...r.kernel.org,
linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: Re: [PATCH 2/4] ACPI: sysfs: Fix a potential out-of-bound write in
create_of_modalias()
On Tue, Oct 24, 2023 at 08:55:25AM +0300, Dan Carpenter wrote:
> On Mon, Oct 23, 2023 at 09:33:16PM +0200, Christophe JAILLET wrote:
> > The remaining size of the buffer used by snprintf() is not updated after
> > the first write, so subsequent write in the 'for' loop a few lines below
> > can write some data past the end of the 'modalias' buffer.
> >
> > Correctly update the remaining size.
> >
> > Note that this pattern is already correctly written in
> > create_pnp_modalias().
> >
> > Fixes: 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present")
> > Signed-off-by: Christophe JAILLET <christophe.jaillet@...adoo.fr>
> > ---
> > drivers/acpi/device_sysfs.c | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c
> > index 4deb36dccb73..7ec3142f3eda 100644
> > --- a/drivers/acpi/device_sysfs.c
> > +++ b/drivers/acpi/device_sysfs.c
> > @@ -215,6 +215,8 @@ static int create_of_modalias(const struct acpi_device *acpi_dev, char *modalias
> > if (len >= size)
> > return -ENOMEM;
> >
> > + size -= len;
> > +
>
> Yeah. This is a good bugfix but it also shows why the canonical format
> is better. In the canonical format the "size - len" happens as part of
> snprintf() instead of on a separate line where it can be forgotten.
>
> len += snprintf(buf + len, size - len, "string");
>
> Also the user space version of snprintf() can fail but the
> kernel space version can't. This code is more complicated and introduces
> a memory corruption bug because it is pretending that we need to check
> for negatives. People (someone) sometimes (once ten years ago) tell me
> that checking for negatives is important for security but actually it's
> the reverse.
So I had a Smatch check for this kind of stuff but it was pretty junk.
It also only looked for "modalias + len" and here the code is doing
"&modalias[len]".
I can fix it up a bit today and look again at the warnings. Here is the
the check and the warnings as-is.
regards,
dan carpenter
View attachment "check_snprintf_no_minus.c" of type "text/x-csrc" (1654 bytes)
View attachment "err-list" of type "text/plain" (11451 bytes)
Powered by blists - more mailing lists