Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp856137imm; Tue, 3 Jul 2018 00:53:46 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKrzylgT0NtRGJHfjISr+jonl+0OwIzBzWaKj4kI45e/88cg5Nta7LOuwLGjD6n+eBEBVa+ X-Received: by 2002:a63:27c1:: with SMTP id n184-v6mr23784311pgn.29.1530604426235; Tue, 03 Jul 2018 00:53:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530604426; cv=none; d=google.com; s=arc-20160816; b=1IrzqR6bVmjzPVhF/UepErQEdu93SbHYaxZtJ72hUzl6wVHUMKAQonRmv9KV2Gy+Qp h8QDRQhbuqwXhE55Y3BQaFHB08dYgZJtW8eSLXnfr1Gt8WukUzqTcgPijyH6pXhddBPO a5qNNOVdrVXlbtUyLtCA1Rau1kbIememDo8AblO6t9+Vqh27T1YmUGSQeH7PcOL1jihR cmpDjgXyfYvUc/yQNdfbwTEM8rs0Mz4UfJRRxH7zwi8In/gxEEayYfG/mBopOHQjEYru 2doeELX5Vc74SUXNa976uux6iCbG6u1EyYCiyiwGlT8PE/7U1vknRvWsXwiqJRoKZse/ BYYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:arc-authentication-results; bh=nJw203+kTuGM/GWtxAgco2/tHTBdPaVv7e6NnXnZVbI=; b=tgU2ivoj//XIPSM9QZA48buchWLLeumPV+UGRHoN7c1UTAbLNaiaVLJJRq8Xh4z9G8 KWL7VpxzuWlvcJNawRld8gkt3mRmrBLmyOPRV1u4KUir8iporgjhd0kgc+HPUyK5k12R hucwfhZYmp5BVGdshmhezl+xKQD4MgjhUQgV3Cj25JeFanEmsdgVXXoUWW3GFRj3ndjK x7hvxOKPiJzGiwOczHlccaSkZ44v0D3Lo1ZvLc0z09aL2dBimaEA0Rrg2+IQ2KuOosPc 3OH4uQDPEHnYfdMf8TmyLznr8sLbBZuRDgtuj+S3UFkD3a4OdiNdbwu/4faeEWxe+Z5u lcTQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c6-v6si509720pgn.143.2018.07.03.00.53.32; Tue, 03 Jul 2018 00:53:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933488AbeGCHuV (ORCPT + 99 others); Tue, 3 Jul 2018 03:50:21 -0400 Received: from mail-qt0-f196.google.com ([209.85.216.196]:45919 "EHLO mail-qt0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933390AbeGCHuR (ORCPT ); Tue, 3 Jul 2018 03:50:17 -0400 Received: by mail-qt0-f196.google.com with SMTP id y5-v6so769327qti.12 for ; Tue, 03 Jul 2018 00:50:17 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nJw203+kTuGM/GWtxAgco2/tHTBdPaVv7e6NnXnZVbI=; b=OhP4mRGd7CnRCBcKOUKOjTugMlOKbkUiiLmsM+dcTQ0iRAuowwJATKXebBeaJqcZWD X6B86mTVw9u/Gazo2u4i94fnnHrxWTX68hPF46t79h1XdG6NDk1jZiFViWnSyatLAH9n GIVuHBWxshWxgUUKBo68DGkLvVif1ymrUbJ4JfiEmLTa5QNsgtHXNN92njJnulnbLtD2 fcJ6SL1puahih1MaiATmmZxsJsSu3ITbxcEjEsr+27c/tqwDh7S6Jcok7JT01QIRdKR3 OcpcEgDQFn+nNM1vTKiu5H19iQISeYV1h2D+DTsd4eW3MyqbVedr5dge0MzzAvyweptC +Vnw== X-Gm-Message-State: APt69E38vSc+Uf9CUH7/vYKGi9rLk7vdppiemQiD71tPdNzXKVI8z42H sLyZr/zrY09R8hsbR5Ie9bHa/PC21unWxfWOdt2qWg== X-Received: by 2002:ac8:1a18:: with SMTP id v24-v6mr16081176qtj.115.1530604217132; Tue, 03 Jul 2018 00:50:17 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:ac8:2fca:0:0:0:0:0 with HTTP; Tue, 3 Jul 2018 00:50:16 -0700 (PDT) In-Reply-To: <20180702235937.111619-1-drosen@google.com> References: <20180702235937.111619-1-drosen@google.com> From: Benjamin Tissoires Date: Tue, 3 Jul 2018 09:50:16 +0200 Message-ID: Subject: Re: [PATCH] HID: debug: check length before copy_to_user() To: Daniel Rosenberg Cc: Jiri Kosina , "open list:HID CORE LAYER" , lkml , kernel-team@android.com, "3.8+" Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 3, 2018 at 1:59 AM, Daniel Rosenberg wrote: > If our length is greater than the size of the buffer, we > overflow the buffer > > Signed-off-by: Daniel Rosenberg > Cc: stable@vger.kernel.org > --- Looks good: Reviewed-by: Benjamin Tissoires Cheers, Benjamin > drivers/hid/hid-debug.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/drivers/hid/hid-debug.c b/drivers/hid/hid-debug.c > index 8469b6964ff64..b48100236df89 100644 > --- a/drivers/hid/hid-debug.c > +++ b/drivers/hid/hid-debug.c > @@ -1154,6 +1154,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, > goto out; > if (list->tail > list->head) { > len = list->tail - list->head; > + if (len > count) > + len = count; > > if (copy_to_user(buffer + ret, &list->hid_debug_buf[list->head], len)) { > ret = -EFAULT; > @@ -1163,6 +1165,8 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, > list->head += len; > } else { > len = HID_DEBUG_BUFSIZE - list->head; > + if (len > count) > + len = count; > > if (copy_to_user(buffer, &list->hid_debug_buf[list->head], len)) { > ret = -EFAULT; > @@ -1170,7 +1174,9 @@ static ssize_t hid_debug_events_read(struct file *file, char __user *buffer, > } > list->head = 0; > ret += len; > - goto copy_rest; > + count -= len; > + if (count > 0) > + goto copy_rest; > } > > } > -- > 2.18.0.399.gad0ab374a1-goog >