Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753286AbbD1IZh (ORCPT <rfc822;w@1wt.eu>);
	Tue, 28 Apr 2015 04:25:37 -0400
Received: from mail-by2on0107.outbound.protection.outlook.com ([207.46.100.107]:46916
	"EHLO na01-by2-obe.outbound.protection.outlook.com"
	rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
	id S1751766AbbD1IZe (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Tue, 28 Apr 2015 04:25:34 -0400
Authentication-Results: spf=fail (sender IP is 192.88.158.2)
 smtp.mailfrom=freescale.com; vger.kernel.org; dkim=none (message not signed)
 header.d=none;
Date: Tue, 28 Apr 2015 16:22:24 +0800
From: Peter Chen <peter.chen@freescale.com>
To: Heinrich Schuchardt <xypron.glpk@gmx.de>
CC: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        <linux-usb@vger.kernel.org>, <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 1/1] drivers/usb/chipidea/debuc.c: avoid out of bound read
Message-ID: <20150428082222.GB32234@shlinux2>
References: <1429250653-1626-1-git-send-email-xypron.glpk@gmx.de>
 <20150421013254.GA25710@shlinux2> <5536A435.1030808@gmx.de>
 <20150422012633.GA2680@shlinux2> <553E7F08.7070205@gmx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <553E7F08.7070205@gmx.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:192.88.158.2;CTRY:US;IPV:NLI;EFV:NLI;BMV:1;SFV:NSPM;SFS:(10019020)(6009001)(339900001)(189002)(199003)(52604005)(51704005)(86362001)(85426001)(33656002)(77156002)(93886004)(46406003)(77096005)(46102003)(83506001)(87936001)(47776003)(23726002)(54356999)(106466001)(4001350100001)(97756001)(105606002)(104016003)(33716001)(50466002)(62966003)(19580395003)(50986999)(19580405001)(6806004)(110136001)(2950100001)(76176999)(92566002)(7059030);DIR:OUT;SFP:1102;SCL:1;SRVR:BLUPR03MB456;H:az84smr01.freescale.net;FPR:;SPF:Fail;MLV:sfv;MX:1;A:1;LANG:en;
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB456;UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB133;
X-Microsoft-Antispam-PRVS: <BLUPR03MB45640A49084BBB8366F030B81E80@BLUPR03MB456.namprd03.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(601004)(5005006)(5002010)(3002001);SRVR:BLUPR03MB456;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB456;
X-Forefront-PRVS: 0560A2214D
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2015 08:25:31.7018
 (UTC)
X-MS-Exchange-CrossTenant-Id: 710a03f5-10f6-4d38-9ff4-a80b81da590d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=710a03f5-10f6-4d38-9ff4-a80b81da590d;Ip=[192.88.158.2];Helo=[az84smr01.freescale.net]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB456
X-OriginatorOrg: freescale.com
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2864
Lines: 108

On Mon, Apr 27, 2015 at 08:25:12PM +0200, Heinrich Schuchardt wrote:
> On 22.04.2015 03:26, Peter Chen wrote:
> > On Tue, Apr 21, 2015 at 09:25:41PM +0200, Heinrich Schuchardt wrote:
> >> Hello Peter,
> >>
> >> thanks for reviewing.
> >>
> >> On 21.04.2015 03:32, Peter Chen wrote:
> >>> On Fri, Apr 17, 2015 at 08:04:13AM +0200, Heinrich Schuchardt wrote:
> >>>> A string written by the user may not be zero terminated.
> >>>>
> >>>> sscanf may read memory beyond the buffer if no zero byte
> >>>> is found.
> >>>>
> >>>> Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> >>>> ---
> >>>>  drivers/usb/chipidea/debug.c | 6 +++++-
> >>>>  1 file changed, 5 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/drivers/usb/chipidea/debug.c b/drivers/usb/chipidea/debug.c
> >>>> index dfb05ed..ef08af3 100644
> >>>> --- a/drivers/usb/chipidea/debug.c
> >>>> +++ b/drivers/usb/chipidea/debug.c
> >>>> @@ -88,9 +88,13 @@ static ssize_t ci_port_test_write(struct file *file, const char __user *ubuf,
> >>>>  	char buf[32];
> >>>>  	int ret;
> >>>>  
> >>>> -	if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
> >>>> +	count = min_t(size_t, sizeof(buf) - 1, count);
> >>>> +	if (copy_from_user(buf, ubuf, count))
> >>>>  		return -EFAULT;
> >>>
> >>> Any reasons to change above?
> >>
> >> Otherwise we would have two lines with the term
> >> min_t(size_t, sizeof(buf) - 1, count).
> > 
> > Sorry, two lines of min_t(..)? Why I can't find it?
> 
> Hello Peter,
> 
> in my patch I write:
> 
> count = min_t(size_t, sizeof(buf) - 1, count);
> if (copy_from_user(buf, ubuf, count))
> 	return -EFAULT;
> 
> /* sscanf requires a zero terminated string */
> buf[count] = 0;
> 
> Without the first part of the change I would have had to write:
> 
> if (copy_from_user(buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
> 	return -EFAULT;
> 
> /* sscanf requires a zero terminated string */
> buf[min_t(size_t, sizeof(buf) - 1, count)] = 0;
> 
> We should do the same calculation
> "min_t(size_t, sizeof(buf) - 1, count)"
> only once in the coding.

Oh, yeah. 
Send your v2 with '\0' change, thanks.

Peter

> 
> Best regards
> 
> Heinrich
> 
> 
> > 
> > 
> >>
> >> This would make the code harder to read.
> >>
> >>>>  
> >>>> +	/* sscanf requires a zero terminated string */
> >>>> +	buf[count] = 0;
> >>>> +
> >>>
> >>> I prefer using '\0'
> >>
> >> If you confirm the rest of the patch is ok, I will send an updated patch.
> >>
> >> Best regards
> >>
> >> Heinrich
> >>
> >>>
> >>>>  	if (sscanf(buf, "%u", &mode) != 1)
> >>>>  		return -EINVAL;
> >>>>  
> >>
> > 
> 

-- 

Best Regards,
Peter Chen
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/