Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp5030957rwb; Mon, 31 Jul 2023 17:07:24 -0700 (PDT) X-Google-Smtp-Source: APBJJlHjUtBY4QUouDEQyYoyWI+peetMRPSnjVQqqqn+nIgP8Ih1A0WvuUNvABM+gfOl2+VBo4dW X-Received: by 2002:a17:903:1107:b0:1bb:9506:d47c with SMTP id n7-20020a170903110700b001bb9506d47cmr12003305plh.19.1690848444308; Mon, 31 Jul 2023 17:07:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690848444; cv=none; d=google.com; s=arc-20160816; b=WiUXJnA9AjhJMSbv/+Qx9C57nMu+uCS/0Zi0g3Kq1l7v7L3v2aCGaFP6KmiKxy33dC GAxzEJ6DeIgvcHGPVMGNlzVLaNyj0KdrY9UwB76Qd0AHPCdm5BS0d/hso9qVGXiH71oc XFmerJxYdu91IASZxrMByYZd+h+2JVl/c0y59R0Dzd888S3cSwqaJ/qnq9axuuW8HzzW 2LcoraliarslKS/Ovvx0xfNPJ6ZJTvt85J9zTlco7HuLeprhtYki1alQyML6OjsXtRpx XBNNS3BtMi6P3oroXt7c9xkqlOo0rs7N+6m3zziEfhfuvPBT/wr8kj+/31kPiRZijAdu Xsqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=qtQfsABuQc53by456eOT4hUMnKBPflUyeQu67tNuD+M=; fh=EMkWYmdxnc1LSbpSveih4j7WN/BpPOVW/R6hAjJdM9g=; b=KF/r4PZ+i6yu6ZDZbvi2D2rDpzT4TbPtJnZP3pdSvO8m+PK5pH7njfekzGb4Y25WPE LNVYxpWwGWybl/DZpQx9GdgvgxZTs28yrQAPIwXd+wO62cogMsKLqaq6jVyStMgprHO7 kslGuGBzZJ8ZoOLZrOQqcwQ9V8Lmpll2bT4xAHJefT9Rf0gz8hGYczxu7RG0Q6b4MM/G u4TwATMGPBsHsbneImV1hdA+Fg2c/7uaBX8OrPTlH2370FUihcmyyCUs4q+ZqU51N7nH bmSe0wxlSoD0KZrBTsK0r58AHN5dNqo5jNXnbdsr0cEsoGoYtqJJDoxftxMLXeQpxjiD Qo/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=f2oGgg9S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w17-20020a170902e89100b001b5006b87c0si6105313plg.139.2023.07.31.17.07.09; Mon, 31 Jul 2023 17:07:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=f2oGgg9S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230411AbjGaXVs (ORCPT + 99 others); Mon, 31 Jul 2023 19:21:48 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44082 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229604AbjGaXVn (ORCPT ); Mon, 31 Jul 2023 19:21:43 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BA9E124; Mon, 31 Jul 2023 16:21:23 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9832961350; Mon, 31 Jul 2023 23:21:21 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 67782C433C8; Mon, 31 Jul 2023 23:21:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690845681; bh=UeWtxD2MNERE0o3Lgj+lel/LnXy0KcpgccXB7U/54GU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=f2oGgg9S3yIz52yJ7KNAtSVDd8dYYhn20eIwS9yNT9+YUUGJJlSr5iT2D82QWdou/ z2i6XKFo7XK7rwBoyhAJBVLjPn+/fMFRdRmtJHOwY7tTb/I987iDV88Bhha5nKFOGt 2m3UpTw0JTVCbVQi6tSHtvyVu6jJh5W7mJHPMm7rOelLGWpN2ausWEuqoZo6iE9Ebw IFoqiGwOSdiVSoyR25kCBgTscGEZCqx2plhcLnMHVSRo1RJ5HmNpw4pCRJRcZ0gX9N hIPlc6DqKRj9FydH4kMok/z2VSe9RHOsilQpFrdb7zLPqw8Adxv/cAMQShpK5JLCTe 2fxOKi7k/qv4A== Date: Mon, 31 Jul 2023 16:24:26 -0700 From: Bjorn Andersson To: Praveenkumar I Cc: agross@kernel.org, konrad.dybcio@linaro.org, linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org, quic_varada@quicinc.com, quic_clew@quicinc.com Subject: Re: [PATCH v2] soc: qcom: qmi_encdec: Restrict string length in decode Message-ID: References: <20230731100311.2506271-1-quic_ipkumar@quicinc.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230731100311.2506271-1-quic_ipkumar@quicinc.com> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jul 31, 2023 at 03:33:11PM +0530, Praveenkumar I wrote: > The QMI TLV value for strings in a lot of qmi element info structures > account for null terminated strings with MAX_LEN + 1. If a string is > actually MAX_LEN + 1 length, this will cause an out of bounds access > when the NULL character is appended in decoding. > > Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder") > Cc: stable@vger.kernel.org > Signed-off-by: Chris Lew > Signed-off-by: Praveenkumar I The signed-off-by list says that Chris certified the patch's origin first, then you took it, certified the origin and submitted it to the mailing list. This matches reality, but you lost Chris' authorship in the process, please add that back. Thanks, Bjorn > --- > [v2]: > Added Fixes and Cc: stable > > drivers/soc/qcom/qmi_encdec.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c > index b7158e3c3a0b..5c7161b18b72 100644 > --- a/drivers/soc/qcom/qmi_encdec.c > +++ b/drivers/soc/qcom/qmi_encdec.c > @@ -534,8 +534,8 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array, > decoded_bytes += rc; > } > > - if (string_len > temp_ei->elem_len) { > - pr_err("%s: String len %d > Max Len %d\n", > + if (string_len >= temp_ei->elem_len) { > + pr_err("%s: String len %d >= Max Len %d\n", > __func__, string_len, temp_ei->elem_len); > return -ETOOSMALL; > } else if (string_len > tlv_len) { > -- > 2.34.1 >