Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756768AbbDVB3a (ORCPT ); Tue, 21 Apr 2015 21:29:30 -0400 Received: from mail-bn1bn0101.outbound.protection.outlook.com ([157.56.110.101]:13263 "EHLO na01-bn1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753562AbbDVB30 (ORCPT ); Tue, 21 Apr 2015 21:29:26 -0400 Authentication-Results: spf=fail (sender IP is 192.88.168.50) smtp.mailfrom=freescale.com; vger.kernel.org; dkim=none (message not signed) header.d=none; Date: Wed, 22 Apr 2015 09:26:35 +0800 From: Peter Chen To: Heinrich Schuchardt CC: Greg Kroah-Hartman , , Subject: Re: [PATCH 1/1] drivers/usb/chipidea/debuc.c: avoid out of bound read Message-ID: <20150422012633.GA2680@shlinux2> References: <1429250653-1626-1-git-send-email-xypron.glpk@gmx.de> <20150421013254.GA25710@shlinux2> <5536A435.1030808@gmx.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <5536A435.1030808@gmx.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:192.88.168.50;CTRY:US;IPV:NLI;EFV:NLI;BMV:1;SFV:NSPM;SFS:(10019020)(6009001)(339900001)(189002)(24454002)(52604005)(199003)(51704005)(85426001)(76176999)(46102003)(19580395003)(97756001)(23726002)(46406003)(6806004)(54356999)(33656002)(4001350100001)(86362001)(50466002)(62966003)(83506001)(105606002)(106466001)(2950100001)(110136001)(104016003)(87936001)(50986999)(77156002)(92566002)(33716001)(77096005)(19580405001)(47776003)(7059030);DIR:OUT;SFP:1102;SCL:1;SRVR:CY1PR0301MB0715;H:tx30smr01.am.freescale.net;FPR:;SPF:Fail;MLV:sfv;MX:1;A:1;LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0715; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(5002010);SRVR:CY1PR0301MB0715;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0715; X-Forefront-PRVS: 0554B1F54F X-OriginatorOrg: freescale.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Apr 2015 01:29:23.0091 (UTC) X-MS-Exchange-CrossTenant-Id: 710a03f5-10f6-4d38-9ff4-a80b81da590d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=710a03f5-10f6-4d38-9ff4-a80b81da590d;Ip=[192.88.168.50];Helo=[tx30smr01.am.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0715 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1917 Lines: 69 On Tue, Apr 21, 2015 at 09:25:41PM +0200, Heinrich Schuchardt wrote: > Hello Peter, > > thanks for reviewing. > > On 21.04.2015 03:32, Peter Chen wrote: > > On Fri, Apr 17, 2015 at 08:04:13AM +0200, Heinrich Schuchardt wrote: > >> A string written by the user may not be zero terminated. > >> > >> sscanf may read memory beyond the buffer if no zero byte > >> is found. > >> > >> Signed-off-by: Heinrich Schuchardt > >> --- > >> drivers/usb/chipidea/debug.c | 6 +++++- > >> 1 file changed, 5 insertions(+), 1 deletion(-) > >> > >> diff --git a/drivers/usb/chipidea/debug.c b/drivers/usb/chipidea/debug.c > >> index dfb05ed..ef08af3 100644 > >> --- a/drivers/usb/chipidea/debug.c > >> +++ b/drivers/usb/chipidea/debug.c > >> @@ -88,9 +88,13 @@ static ssize_t ci_port_test_write(struct file *file, const char __user *ubuf, > >> char buf[32]; > >> int ret; > >> > >> - if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) > >> + count = min_t(size_t, sizeof(buf) - 1, count); > >> + if (copy_from_user(buf, ubuf, count)) > >> return -EFAULT; > > > > Any reasons to change above? > > Otherwise we would have two lines with the term > min_t(size_t, sizeof(buf) - 1, count). Sorry, two lines of min_t(..)? Why I can't find it? > > This would make the code harder to read. > > >> > >> + /* sscanf requires a zero terminated string */ > >> + buf[count] = 0; > >> + > > > > I prefer using '\0' > > If you confirm the rest of the patch is ok, I will send an updated patch. > > Best regards > > Heinrich > > > > >> if (sscanf(buf, "%u", &mode) != 1) > >> return -EINVAL; > >> > -- Best Regards, Peter Chen -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/