Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752003AbbDUBft (ORCPT ); Mon, 20 Apr 2015 21:35:49 -0400 Received: from mail-bn1on0112.outbound.protection.outlook.com ([157.56.110.112]:17440 "EHLO na01-bn1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751455AbbDUBfr (ORCPT ); Mon, 20 Apr 2015 21:35:47 -0400 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=freescale.com; vger.kernel.org; dkim=none (message not signed) header.d=none; Date: Tue, 21 Apr 2015 09:32:56 +0800 From: Peter Chen To: Heinrich Schuchardt CC: Greg Kroah-Hartman , , Subject: Re: [PATCH 1/1] drivers/usb/chipidea/debuc.c: avoid out of bound read Message-ID: <20150421013254.GA25710@shlinux2> References: <1429250653-1626-1-git-send-email-xypron.glpk@gmx.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <1429250653-1626-1-git-send-email-xypron.glpk@gmx.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:192.88.168.50;CTRY:US;IPV:NLI;EFV:NLI;BMV:1;SFV:NSPM;SFS:(10019020)(6009001)(339900001)(199003)(51704005)(24454002)(189002)(106466001)(86362001)(47776003)(4001350100001)(50986999)(33656002)(110136001)(23726002)(104016003)(87936001)(33716001)(105606002)(97756001)(76176999)(54356999)(83506001)(50466002)(19580405001)(19580395003)(6806004)(92566002)(46406003)(46102003)(77156002)(77096005)(62966003)(2950100001)(7059030);DIR:OUT;SFP:1102;SCL:1;SRVR:BY1PR0301MB1224;H:tx30smr01.am.freescale.net;FPR:;SPF:Fail;MLV:sfv;A:1;MX:1;LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1224; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5002010)(5005006);SRVR:BY1PR0301MB1224;BCL:0;PCL:0;RULEID:;SRVR:BY1PR0301MB1224; X-Forefront-PRVS: 0553CBB77A X-OriginatorOrg: freescale.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Apr 2015 01:35:43.8069 (UTC) X-MS-Exchange-CrossTenant-Id: 710a03f5-10f6-4d38-9ff4-a80b81da590d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=710a03f5-10f6-4d38-9ff4-a80b81da590d;Ip=[192.88.168.50];Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY1PR0301MB1224 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1356 Lines: 48 On Fri, Apr 17, 2015 at 08:04:13AM +0200, Heinrich Schuchardt wrote: > A string written by the user may not be zero terminated. > > sscanf may read memory beyond the buffer if no zero byte > is found. > > Signed-off-by: Heinrich Schuchardt > --- > drivers/usb/chipidea/debug.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/drivers/usb/chipidea/debug.c b/drivers/usb/chipidea/debug.c > index dfb05ed..ef08af3 100644 > --- a/drivers/usb/chipidea/debug.c > +++ b/drivers/usb/chipidea/debug.c > @@ -88,9 +88,13 @@ static ssize_t ci_port_test_write(struct file *file, const char __user *ubuf, > char buf[32]; > int ret; > > - if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) > + count = min_t(size_t, sizeof(buf) - 1, count); > + if (copy_from_user(buf, ubuf, count)) > return -EFAULT; Any reasons to change above? > > + /* sscanf requires a zero terminated string */ > + buf[count] = 0; > + I prefer using '\0' > if (sscanf(buf, "%u", &mode) != 1) > return -EINVAL; > > -- > 2.1.4 > -- Best Regards, Peter Chen -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/