Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp6614401rwb; Wed, 18 Jan 2023 07:20:57 -0800 (PST) X-Google-Smtp-Source: AMrXdXvqwU/MG0aZGvjL3G1zFFsXZqSQygzDUgc9+sFR5IHj0WjFV6Bz115JirH4yOgSjrvSShYe X-Received: by 2002:a05:6a20:8e05:b0:af:ae14:9ecb with SMTP id y5-20020a056a208e0500b000afae149ecbmr11436290pzj.17.1674055256892; Wed, 18 Jan 2023 07:20:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674055256; cv=none; d=google.com; s=arc-20160816; b=Ov7vnGXwhnCBzZ5Yod0Rxf0pWXCOj4ZvpQPZ+imyplyEojJqqWiiwiR1OfDQADSuTQ YJ5/D9d/vW1DPq2Gg2TEhVrZIiagUpWzOMPOXtkKHJrmD88ZwOG+iQnhXU0L/jxFoDgi qDQpB38LRxS0dOdHcNK+NwMYKJONFZNcP8GW7iYDRbGgUFc1xAc3zRu8bc0lX5Y4q3Ns ukexVRS9r4SXgkAY3Fc2nG/YBgKzZLFzqweEHxEBVPFOin1xK/g/QIvuRYtE1VznJLak nWcO8uvsvUimUQBr1SwfPtDud0WTJ/GlzAGS6NNi2IKYddurnU8eNwgzfZjVTKmRBnAe hxLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version; bh=zp/Qb8JE/S2uY67GV9cLrf5ynIgddgJKDaz9VISPXI4=; b=NfeYBEprPG2F7B5619qQO4YcJSVLS+9V2bCT41xkLSS+N4zDvZqrXYC28ciCCxaETh bTBKszcvcsyaDFb6aH1VGMuinYK6qtQkoGYai9Mok7LJflBWhlljXm0Le8idMDg/nfvd WxjXuQrrcTMZiS+HmqPVDg4IqJQcQAIffi8xE2nu/PHtOlXAiO4N2118yWOfgclDzw3Z XbzujunwDVJMcqW80IumGa8vSNpxlnX8dRWXNMLVzENHqunVQAub4ManRvyUN+rZmow9 gTbMMLQwGpz2mQ+qmQMohb1hRCr3sxrMbPMVoz9bX2+f/eBsxq4VoRGrfY3RwEtjkGIZ JBbA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x4-20020a63db44000000b00476e6407413si36718504pgi.15.2023.01.18.07.20.51; Wed, 18 Jan 2023 07:20:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231419AbjARPD1 (ORCPT + 45 others); Wed, 18 Jan 2023 10:03:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231296AbjARPCs (ORCPT ); Wed, 18 Jan 2023 10:02:48 -0500 Received: from mail-ej1-f47.google.com (mail-ej1-f47.google.com [209.85.218.47]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D36F645F71; Wed, 18 Jan 2023 07:01:05 -0800 (PST) Received: by mail-ej1-f47.google.com with SMTP id v6so40895256ejg.6; Wed, 18 Jan 2023 07:01:05 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zp/Qb8JE/S2uY67GV9cLrf5ynIgddgJKDaz9VISPXI4=; b=PDgTo38KhpT4sT8dIlz4noEcc0j1vfwCu4YRN5qmh1yjSmytMy5aYt/q+3jcZYI8ZK 6eNHjnRPkwxzpwkpwFPvmzIw4JI9OPnSydHYGLrPbjqm+u/ERuApdXnhba6jTHaX4KXL FlxW9fQjKqwUDZJe1jUQ6NIfwL/xWY4dqUvmPTo11Hljr/gYLRnhGJhj1cmmjy4GgRTQ jAXS79JYW2ap5TOWEzxvFJYN9H+X1nTCZz6BdN3JUQYOysAVAP27fhCOvGCDSs9/oOeJ a6ZT8+A/qglgTNlpjPYzCzs2B5Su3TRq/4UWYPE2tpHFs+Nu9Fxnp3/6n6aeTh6r1m0b NYcA== X-Gm-Message-State: AFqh2krIxgvdx6LFyGiTZUnnejD4SvOFVwhTRVnsyA/AmYR3zybtZJJK HPLzlSfMPd7KL+08t/bUNRn9GWwFnDI9sTVoMSVGX9ZJ X-Received: by 2002:a17:906:a20c:b0:7c1:5ff0:6cc2 with SMTP id r12-20020a170906a20c00b007c15ff06cc2mr589851ejy.246.1674054064313; Wed, 18 Jan 2023 07:01:04 -0800 (PST) MIME-Version: 1.0 References: <20230114085053.72059-1-W_Armin@gmx.de> <20230114085053.72059-3-W_Armin@gmx.de> <90f1270d-3c37-088b-98ac-a08caba685e8@gmx.de> In-Reply-To: <90f1270d-3c37-088b-98ac-a08caba685e8@gmx.de> From: "Rafael J. Wysocki" Date: Wed, 18 Jan 2023 16:00:53 +0100 Message-ID: Subject: Re: [PATCH 2/4] ACPI: battery: Fix buffer overread if not NUL-terminated To: Armin Wolf Cc: "Rafael J. Wysocki" , lenb@kernel.org, linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.4 required=5.0 tests=BAYES_00, FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jan 17, 2023 at 10:01 PM Armin Wolf wrote: > > Am 17.01.23 um 15:42 schrieb Rafael J. Wysocki: > > > On Sat, Jan 14, 2023 at 9:51 AM Armin Wolf wrote: > >> If the buffer containing string data is not NUL-terminated > >> (which is perfectly legal according to the ACPI specification), > >> the acpi battery driver might not honor its length. > > Note that this is about extracting package entries of type ACPI_TYPE_BUFFER. > > > > And please spell ACPI in capitals. > > > >> Fix this by limiting the amount of data to be copied to > >> the buffer length while also using strscpy() to make sure > >> that the resulting string is always NUL-terminated. > > OK > > > >> Also use '\0' instead of a plain 0. > > Why? It's a u8, not a char. > > > >> Signed-off-by: Armin Wolf > >> --- > >> drivers/acpi/battery.c | 23 ++++++++++++++++------- > >> 1 file changed, 16 insertions(+), 7 deletions(-) > >> > >> diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c > >> index fb64bd217d82..9f6daa9f2010 100644 > >> --- a/drivers/acpi/battery.c > >> +++ b/drivers/acpi/battery.c > >> @@ -438,15 +438,24 @@ static int extract_package(struct acpi_battery *battery, > >> if (offsets[i].mode) { > >> u8 *ptr = (u8 *)battery + offsets[i].offset; > > I would add > > > > u32 len = 32; > > > >> - if (element->type == ACPI_TYPE_STRING || > >> - element->type == ACPI_TYPE_BUFFER) > >> + switch (element->type) { > > And here I would do > > > > case ACPI_TYPE_BUFFER: > > if (len > element->buffer.length + 1) > > len = element->buffer.length + 1; > > > > fallthrough; > > case ACPI_TYPE_STRING: > > strscpy(ptr, element->buffer.pointer, len); > > break; > > case ACPI_TYPE_INTEGER: > > > > and so on. > > But wouldn't this cause the ACPI string object to be accessed the wrong way > (buffer.pointer instead of string.pointer)? I meant string.pointer, like in the original code, but this doesn't matter really, because the value of the pointer is the same.