Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp551761pxv;
        Wed, 14 Jul 2021 09:49:20 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxoyRiPisnw4RoY1qaEpyajjsQFhMfp3XsAPuBGxvuTOvA/pK8VvS4foLv4pe9tny5qw7hd
X-Received: by 2002:a50:ff09:: with SMTP id a9mr14813270edu.368.1626281360169;
        Wed, 14 Jul 2021 09:49:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1626281360; cv=none;
        d=google.com; s=arc-20160816;
        b=nP46KH5G4Cqy58rQ0qwrhHVy7ff2jQbHnNZxLRrxux74s8Nu2gFabZKpdgq+zw86p8
         9xXkfdJMXM4v4xRl4etqgQo+KY8jUG1IU6hQVxsjoZOW2IdUnRMwt/QjUGJY4IiXheuQ
         15Yxnp/o5Q4HdXbHgXi6FZ+NqdRQg+Dr5GZbUQWSFrII4dw6MtN7GFMboGdHc6B9yB4Z
         pbCAm570xFM9bb0hG1EFomYd2I+e//Ce4Z5ufM/CPw2Btt6Yrk0XbUVb/SHTY//MYSAn
         3/++Pt1QQnzzocE8ZNoTxXaM2nmpENFhGFNccKdYqSbb0lOhmtPHIHYQl4RbhzcCZ11U
         Ucog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-disposition
         :mime-version:user-agent:in-reply-to:subject:cc:to:from:message-id
         :date;
        bh=LyFc8AkboSZF65aGGCh6n93iB3w44a83zBQjOZHdD9g=;
        b=vR5/73MWBolRGpbpz+j2jz9lomWMuTVGt5p+UaqrVBXXB8jgw8psfosIf54EFo1WCD
         /WwSxKYxzRikDEy/petmCBBxcDU4Z+HH4b+om6SSv//Z7UHV5BMSvkXcgQA6YGO+9Sn8
         uUtPDtF4ipoL/J1pI7LrhWTQ/4YI+HBFltQ6s94LBYwdXXPcKZ3zQzlZFAhf4QByJdLY
         w0ZKlZV3JUA8Rgc5SzUW4RLZeX8q/2ccxpKmpjjX0tS79hYRm0oKdNcFvUZVkscbfjkD
         0BcZTeMPsnjRjk2rtobWxbxXM2h9roqx5DfYwsMAKvxb9WA8JMl9UfzllwoN5fel8C4D
         f22A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id g21si3183746edb.59.2021.07.14.09.48.57;
        Wed, 14 Jul 2021 09:49:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S237175AbhGNQuK convert rfc822-to-8bit (ORCPT
        <rfc822;manish.oss.ml@gmail.com> + 99 others);
        Wed, 14 Jul 2021 12:50:10 -0400
Received: from pegase1.c-s.fr ([93.17.236.30]:50930 "EHLO pegase1.c-s.fr"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S237127AbhGNQuJ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 14 Jul 2021 12:50:09 -0400
Received: from localhost (mailhub3.si.c-s.fr [192.168.12.233])
        by localhost (Postfix) with ESMTP id 4GQ3M84JMBzB8Hs;
        Wed, 14 Jul 2021 18:47:16 +0200 (CEST)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
        by localhost (pegase1.c-s.fr [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id 0IiR9O4UV1kh; Wed, 14 Jul 2021 18:47:16 +0200 (CEST)
Received: from vm-hermes.si.c-s.fr (vm-hermes.si.c-s.fr [192.168.25.253])
        by pegase1.c-s.fr (Postfix) with ESMTP id 4GQ3M82K49zB84P;
        Wed, 14 Jul 2021 18:47:16 +0200 (CEST)
Received: by vm-hermes.si.c-s.fr (Postfix, from userid 33)
        id 3FAD3638; Wed, 14 Jul 2021 18:52:24 +0200 (CEST)
Received: from 37.164.227.125 ([37.164.227.125]) by messagerie.c-s.fr (Horde
 Framework) with HTTP; Wed, 14 Jul 2021 18:52:24 +0200
Date:   Wed, 14 Jul 2021 18:52:24 +0200
Message-ID: <20210714185224.Horde.SuBZAzTXvfB6J6HsqQkOog6@messagerie.c-s.fr>
From:   Christophe Leroy <christophe.leroy@csgroup.eu>
To:     Yi Zhuang <zhuangyi1@huawei.com>
Cc:     linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org,
        hegdevasant@linux.vnet.ibm.com, paulus@samba.org,
        benh@kernel.crashing.org
Subject: Re: [PATCH v2] powerpc/rtas_flash: fix a potential buffer overflow
In-Reply-To: <20210714122753.76021-1-zhuangyi1@huawei.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.3)
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8BIT
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Yi Zhuang <zhuangyi1@huawei.com> a écrit :

> Since snprintf() returns the possible output size instead of the
> actual output size, the available flash_msg length returned by
> get_validate_flash_msg may exceed the given buffer limit when
> simple_read_from_buffer calls copy_to_user
>
> Reported-by: kernel test robot <lkp@intel.com>
> Fixes: a94a14720eaf5 powerpc/rtas_flash: Fix validate_flash buffer  
> overflow issue
> Signed-off-by: Yi Zhuang <zhuangyi1@huawei.com>
> ---
>  arch/powerpc/kernel/rtas_flash.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/kernel/rtas_flash.c  
> b/arch/powerpc/kernel/rtas_flash.c
> index a99179d83538..062f0724c2ff 100644
> --- a/arch/powerpc/kernel/rtas_flash.c
> +++ b/arch/powerpc/kernel/rtas_flash.c
> @@ -470,9 +470,14 @@ static int get_validate_flash_msg(struct  
> rtas_validate_flash_t *args_buf,
>  	if (args_buf->status >= VALIDATE_TMP_UPDATE) {
>  		n = sprintf(msg, "%d\n", args_buf->update_results);
>  		if ((args_buf->update_results >= VALIDATE_CUR_UNKNOWN) ||
> -		    (args_buf->update_results == VALIDATE_TMP_UPDATE))
> +		    (args_buf->update_results == VALIDATE_TMP_UPDATE)) {
>  			n += snprintf(msg + n, msglen - n, "%s\n",
>  					args_buf->buf);
> +			if (n >= msglen) {

n cannot be greater than msglen


> +				n = msglen;
> +				printk(KERN_ERR "FLASH: msg too long.\n");
> +			}
> +		}
>  	} else {
>  		n = sprintf(msg, "%d\n", args_buf->status);
>  	}
> --
> 2.26.0.106.g9fadedd