Hi Sudeep,
>> +static void combine_lpi_states(struct acpi_processor_lpi *l_lpi,
>> + struct acpi_processor_lpi *p_lpi,
>> + struct acpi_processor_lpi *c_lpi)
>> +{
>> + c_lpi->min_residency = max(l_lpi->min_residency, p_lpi->min_residency);
>> + c_lpi->wake_latency = l_lpi->wake_latency + p_lpi->wake_latency;
>> + c_lpi->enable_parent_state = p_lpi->enable_parent_state;
>> + c_lpi->entry_method = l_lpi->entry_method;
>> + c_lpi->address = l_lpi->address + p_lpi->address;
>> + c_lpi->index = p_lpi->index;
>> + c_lpi->flags = p_lpi->flags;
>> + c_lpi->arch_flags = p_lpi->arch_flags;
>> + strncpy(c_lpi->desc, l_lpi->desc, ACPI_CX_DESC_LEN);
>> + strncat(c_lpi->desc, "+", ACPI_CX_DESC_LEN);
>> + strncat(c_lpi->desc, p_lpi->desc, ACPI_CX_DESC_LEN);
>> +}
I suppose you meant to use strl* instead of strn* operations. Below is a
simple patch to fix these. Can you please fold these changes into your next
version as well?
ACPI / Processor: fix buffer overflow caused by strncat/strncpy
The misuse of strncat in LPI code is causing buffer overflow. The fix
is to replace strncat with strlcat.
Signed-off-by: Fan Wu <[email protected]>
Signed-off-by: Prashanth Prakash <[email protected]>
---
drivers/acpi/processor_idle.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
index af851f1..4ca42a7 100644
--- a/drivers/acpi/processor_idle.c
+++ b/drivers/acpi/processor_idle.c
@@ -856,7 +856,7 @@ static int acpi_processor_setup_cstates(struct acpi_processor *pr)
state = &drv->states[count];
snprintf(state->name, CPUIDLE_NAME_LEN, "C%d", i);
- strncpy(state->desc, cx->desc, CPUIDLE_DESC_LEN);
+ strlcpy(state->desc, cx->desc, CPUIDLE_DESC_LEN);
state->exit_latency = cx->latency;
state->target_residency = cx->latency * latency_factor;
state->enter = acpi_idle_enter;
@@ -1009,7 +1009,7 @@ static int acpi_processor_evaluate_lpi(acpi_handle handle,
obj = &element->package.elements[9];
if (obj->type == ACPI_TYPE_STRING)
- strncpy(lpix->desc, obj->string.pointer, ACPI_CX_DESC_LEN);
+ strlcpy(lpix->desc, obj->string.pointer, ACPI_CX_DESC_LEN);
lpix->index = state_count;
@@ -1068,9 +1068,9 @@ static void combine_lpi_states(struct acpi_processor_lpi *l_lpi,
c_lpi->index = p_lpi->index;
c_lpi->flags = p_lpi->flags;
c_lpi->arch_flags = p_lpi->arch_flags;
- strncpy(c_lpi->desc, l_lpi->desc, ACPI_CX_DESC_LEN);
- strncat(c_lpi->desc, "+", ACPI_CX_DESC_LEN);
- strncat(c_lpi->desc, p_lpi->desc, ACPI_CX_DESC_LEN);
+ strlcpy(c_lpi->desc, l_lpi->desc, ACPI_CX_DESC_LEN);
+ strlcat(c_lpi->desc, "+", ACPI_CX_DESC_LEN);
+ strlcat(c_lpi->desc, p_lpi->desc, ACPI_CX_DESC_LEN);
}
static int flatten_lpi_states(struct acpi_processor *pr,
@@ -1190,7 +1190,7 @@ static int acpi_processor_setup_lpi_states(struct acpi_processor *pr)
state = &drv->states[i];
snprintf(state->name, CPUIDLE_NAME_LEN, "LPI-%d", i);
- strncpy(state->desc, lpi->desc, CPUIDLE_DESC_LEN);
+ strlcpy(state->desc, lpi->desc, CPUIDLE_DESC_LEN);
state->exit_latency = lpi->wake_latency;
state->target_residency = lpi->min_residency;
if (lpi->arch_flags)
--
1.8.2.1
Hi Prashanth,
On 01/12/15 17:23, Prakash, Prashanth wrote:
> Hi Sudeep,
>>> +static void combine_lpi_states(struct acpi_processor_lpi *l_lpi,
>>> + struct acpi_processor_lpi *p_lpi,
>>> + struct acpi_processor_lpi *c_lpi)
>>> +{
>>> + c_lpi->min_residency = max(l_lpi->min_residency, p_lpi->min_residency);
>>> + c_lpi->wake_latency = l_lpi->wake_latency + p_lpi->wake_latency;
>>> + c_lpi->enable_parent_state = p_lpi->enable_parent_state;
>>> + c_lpi->entry_method = l_lpi->entry_method;
>>> + c_lpi->address = l_lpi->address + p_lpi->address;
>>> + c_lpi->index = p_lpi->index;
>>> + c_lpi->flags = p_lpi->flags;
>>> + c_lpi->arch_flags = p_lpi->arch_flags;
>>> + strncpy(c_lpi->desc, l_lpi->desc, ACPI_CX_DESC_LEN);
>>> + strncat(c_lpi->desc, "+", ACPI_CX_DESC_LEN);
>>> + strncat(c_lpi->desc, p_lpi->desc, ACPI_CX_DESC_LEN);
>>> +}
> I suppose you meant to use strl* instead of strn* operations. Below is a
> simple patch to fix these. Can you please fold these changes into your next
> version as well?
>
Thanks for reporting, I had fixed it already as I ran into same issue
when I was playing around with the description string in the LPI tables.
Just adding some comments to the code now where ever it's not so
obvious, will post it tomorrow.
--
Regards,
Sudeep