Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756768AbbDVB3a (ORCPT <rfc822;w@1wt.eu>);
	Tue, 21 Apr 2015 21:29:30 -0400
Received: from mail-bn1bn0101.outbound.protection.outlook.com ([157.56.110.101]:13263
	"EHLO na01-bn1-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1753562AbbDVB30 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 21 Apr 2015 21:29:26 -0400
Authentication-Results: spf=fail (sender IP is 192.88.168.50)
 smtp.mailfrom=freescale.com; vger.kernel.org; dkim=none (message not signed)
 header.d=none;
Date: Wed, 22 Apr 2015 09:26:35 +0800
From: Peter Chen <peter.chen@freescale.com>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        <linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/1] drivers/usb/chipidea/debuc.c: avoid out of bound read
Message-ID: <20150422012633.GA2680@shlinux2>
References: <1429250653-1626-1-git-send-email-xypron.glpk@gmx.de>
 <20150421013254.GA25710@shlinux2> <5536A435.1030808@gmx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5536A435.1030808@gmx.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:192.88.168.50;CTRY:US;IPV:NLI;EFV:NLI;BMV:1;SFV:NSPM;SFS:(10019020)(6009001)(339900001)(189002)(24454002)(52604005)(199003)(51704005)(85426001)(76176999)(46102003)(19580395003)(97756001)(23726002)(46406003)(6806004)(54356999)(33656002)(4001350100001)(86362001)(50466002)(62966003)(83506001)(105606002)(106466001)(2950100001)(110136001)(104016003)(87936001)(50986999)(77156002)(92566002)(33716001)(77096005)(19580405001)(47776003)(7059030);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR0301MB0715;H:tx30smr01.am.freescale.net;FPR:;SPF:Fail;MLV:sfv;MX:1;A:1;LANG:en;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0715;
X-Microsoft-Antispam-PRVS: <CY1PR0301MB07154DBB09CF4AA3692C610F81EE0@CY1PR0301MB0715.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(5002010);SRVR:CY1PR0301MB0715;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0715;
X-Forefront-PRVS: 0554B1F54F
X-OriginatorOrg: freescale.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2015 01:29:23.0091
 (UTC)
X-MS-Exchange-CrossTenant-Id: 710a03f5-10f6-4d38-9ff4-a80b81da590d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=710a03f5-10f6-4d38-9ff4-a80b81da590d;Ip=[192.88.168.50];Helo=[tx30smr01.am.freescale.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0715
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1917
Lines: 69

On Tue, Apr 21, 2015 at 09:25:41PM +0200, Heinrich Schuchardt wrote:
> Hello Peter,
> 
> thanks for reviewing.
> 
> On 21.04.2015 03:32, Peter Chen wrote:
> > On Fri, Apr 17, 2015 at 08:04:13AM +0200, Heinrich Schuchardt wrote:
> >> A string written by the user may not be zero terminated.
> >>
> >> sscanf may read memory beyond the buffer if no zero byte
> >> is found.
> >>
> >> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> >> ---
> >>  drivers/usb/chipidea/debug.c | 6 +++++-
> >>  1 file changed, 5 insertions(+), 1 deletion(-)
> >>
> >> diff --git a/drivers/usb/chipidea/debug.c b/drivers/usb/chipidea/debug.c
> >> index dfb05ed..ef08af3 100644
> >> --- a/drivers/usb/chipidea/debug.c
> >> +++ b/drivers/usb/chipidea/debug.c
> >> @@ -88,9 +88,13 @@ static ssize_t ci_port_test_write(struct file *file, const char __user *ubuf,
> >>  	char buf[32];
> >>  	int ret;
> >>  
> >> -	if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
> >> +	count = min_t(size_t, sizeof(buf) - 1, count);
> >> +	if (copy_from_user(buf, ubuf, count))
> >>  		return -EFAULT;
> > 
> > Any reasons to change above?
> 
> Otherwise we would have two lines with the term
> min_t(size_t, sizeof(buf) - 1, count).

Sorry, two lines of min_t(..)? Why I can't find it?


> 
> This would make the code harder to read.
> 
> >>  
> >> +	/* sscanf requires a zero terminated string */
> >> +	buf[count] = 0;
> >> +
> > 
> > I prefer using '\0'
> 
> If you confirm the rest of the patch is ok, I will send an updated patch.
> 
> Best regards
> 
> Heinrich
> 
> > 
> >>  	if (sscanf(buf, "%u", &mode) != 1)
> >>  		return -EINVAL;
> >>  
> 

-- 

Best Regards,
Peter Chen
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/