Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753286AbbD1IZh (ORCPT ); Tue, 28 Apr 2015 04:25:37 -0400 Received: from mail-by2on0107.outbound.protection.outlook.com ([207.46.100.107]:46916 "EHLO na01-by2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751766AbbD1IZe (ORCPT ); Tue, 28 Apr 2015 04:25:34 -0400 Authentication-Results: spf=fail (sender IP is 192.88.158.2) smtp.mailfrom=freescale.com; vger.kernel.org; dkim=none (message not signed) header.d=none; Date: Tue, 28 Apr 2015 16:22:24 +0800 From: Peter Chen To: Heinrich Schuchardt CC: Greg Kroah-Hartman , , Subject: Re: [PATCH 1/1] drivers/usb/chipidea/debuc.c: avoid out of bound read Message-ID: <20150428082222.GB32234@shlinux2> References: <1429250653-1626-1-git-send-email-xypron.glpk@gmx.de> <20150421013254.GA25710@shlinux2> <5536A435.1030808@gmx.de> <20150422012633.GA2680@shlinux2> <553E7F08.7070205@gmx.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <553E7F08.7070205@gmx.de> User-Agent: Mutt/1.5.21 (2010-09-15) X-EOPAttributedMessage: 0 X-Forefront-Antispam-Report: CIP:192.88.158.2;CTRY:US;IPV:NLI;EFV:NLI;BMV:1;SFV:NSPM;SFS:(10019020)(6009001)(339900001)(189002)(199003)(52604005)(51704005)(86362001)(85426001)(33656002)(77156002)(93886004)(46406003)(77096005)(46102003)(83506001)(87936001)(47776003)(23726002)(54356999)(106466001)(4001350100001)(97756001)(105606002)(104016003)(33716001)(50466002)(62966003)(19580395003)(50986999)(19580405001)(6806004)(110136001)(2950100001)(76176999)(92566002)(7059030);DIR:OUT;SFP:1102;SCL:1;SRVR:BLUPR03MB456;H:az84smr01.freescale.net;FPR:;SPF:Fail;MLV:sfv;MX:1;A:1;LANG:en; X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB456;UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB133; X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(5002010)(3002001);SRVR:BLUPR03MB456;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB456; X-Forefront-PRVS: 0560A2214D X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2015 08:25:31.7018 (UTC) X-MS-Exchange-CrossTenant-Id: 710a03f5-10f6-4d38-9ff4-a80b81da590d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=710a03f5-10f6-4d38-9ff4-a80b81da590d;Ip=[192.88.158.2];Helo=[az84smr01.freescale.net] X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB456 X-OriginatorOrg: freescale.com Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2864 Lines: 108 On Mon, Apr 27, 2015 at 08:25:12PM +0200, Heinrich Schuchardt wrote: > On 22.04.2015 03:26, Peter Chen wrote: > > On Tue, Apr 21, 2015 at 09:25:41PM +0200, Heinrich Schuchardt wrote: > >> Hello Peter, > >> > >> thanks for reviewing. > >> > >> On 21.04.2015 03:32, Peter Chen wrote: > >>> On Fri, Apr 17, 2015 at 08:04:13AM +0200, Heinrich Schuchardt wrote: > >>>> A string written by the user may not be zero terminated. > >>>> > >>>> sscanf may read memory beyond the buffer if no zero byte > >>>> is found. > >>>> > >>>> Signed-off-by: Heinrich Schuchardt > >>>> --- > >>>> drivers/usb/chipidea/debug.c | 6 +++++- > >>>> 1 file changed, 5 insertions(+), 1 deletion(-) > >>>> > >>>> diff --git a/drivers/usb/chipidea/debug.c b/drivers/usb/chipidea/debug.c > >>>> index dfb05ed..ef08af3 100644 > >>>> --- a/drivers/usb/chipidea/debug.c > >>>> +++ b/drivers/usb/chipidea/debug.c > >>>> @@ -88,9 +88,13 @@ static ssize_t ci_port_test_write(struct file *file, const char __user *ubuf, > >>>> char buf[32]; > >>>> int ret; > >>>> > >>>> - if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) > >>>> + count = min_t(size_t, sizeof(buf) - 1, count); > >>>> + if (copy_from_user(buf, ubuf, count)) > >>>> return -EFAULT; > >>> > >>> Any reasons to change above? > >> > >> Otherwise we would have two lines with the term > >> min_t(size_t, sizeof(buf) - 1, count). > > > > Sorry, two lines of min_t(..)? Why I can't find it? > > Hello Peter, > > in my patch I write: > > count = min_t(size_t, sizeof(buf) - 1, count); > if (copy_from_user(buf, ubuf, count)) > return -EFAULT; > > /* sscanf requires a zero terminated string */ > buf[count] = 0; > > Without the first part of the change I would have had to write: > > if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count))) > return -EFAULT; > > /* sscanf requires a zero terminated string */ > buf[min_t(size_t, sizeof(buf) - 1, count)] = 0; > > We should do the same calculation > "min_t(size_t, sizeof(buf) - 1, count)" > only once in the coding. Oh, yeah. Send your v2 with '\0' change, thanks. Peter > > Best regards > > Heinrich > > > > > > > >> > >> This would make the code harder to read. > >> > >>>> > >>>> + /* sscanf requires a zero terminated string */ > >>>> + buf[count] = 0; > >>>> + > >>> > >>> I prefer using '\0' > >> > >> If you confirm the rest of the patch is ok, I will send an updated patch. > >> > >> Best regards > >> > >> Heinrich > >> > >>> > >>>> if (sscanf(buf, "%u", &mode) != 1) > >>>> return -EINVAL; > >>>> > >> > > > -- Best Regards, Peter Chen -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/