Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp5030957rwb;
        Mon, 31 Jul 2023 17:07:24 -0700 (PDT)
X-Google-Smtp-Source: APBJJlHjUtBY4QUouDEQyYoyWI+peetMRPSnjVQqqqn+nIgP8Ih1A0WvuUNvABM+gfOl2+VBo4dW
X-Received: by 2002:a17:903:1107:b0:1bb:9506:d47c with SMTP id n7-20020a170903110700b001bb9506d47cmr12003305plh.19.1690848444308;
        Mon, 31 Jul 2023 17:07:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1690848444; cv=none;
        d=google.com; s=arc-20160816;
        b=WiUXJnA9AjhJMSbv/+Qx9C57nMu+uCS/0Zi0g3Kq1l7v7L3v2aCGaFP6KmiKxy33dC
         GAxzEJ6DeIgvcHGPVMGNlzVLaNyj0KdrY9UwB76Qd0AHPCdm5BS0d/hso9qVGXiH71oc
         XFmerJxYdu91IASZxrMByYZd+h+2JVl/c0y59R0Dzd888S3cSwqaJ/qnq9axuuW8HzzW
         2LcoraliarslKS/Ovvx0xfNPJ6ZJTvt85J9zTlco7HuLeprhtYki1alQyML6OjsXtRpx
         XBNNS3BtMi6P3oroXt7c9xkqlOo0rs7N+6m3zziEfhfuvPBT/wr8kj+/31kPiRZijAdu
         Xsqw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=qtQfsABuQc53by456eOT4hUMnKBPflUyeQu67tNuD+M=;
        fh=EMkWYmdxnc1LSbpSveih4j7WN/BpPOVW/R6hAjJdM9g=;
        b=KF/r4PZ+i6yu6ZDZbvi2D2rDpzT4TbPtJnZP3pdSvO8m+PK5pH7njfekzGb4Y25WPE
         LNVYxpWwGWybl/DZpQx9GdgvgxZTs28yrQAPIwXd+wO62cogMsKLqaq6jVyStMgprHO7
         kslGuGBzZJ8ZoOLZrOQqcwQ9V8Lmpll2bT4xAHJefT9Rf0gz8hGYczxu7RG0Q6b4MM/G
         u4TwATMGPBsHsbneImV1hdA+Fg2c/7uaBX8OrPTlH2370FUihcmyyCUs4q+ZqU51N7nH
         bmSe0wxlSoD0KZrBTsK0r58AHN5dNqo5jNXnbdsr0cEsoGoYtqJJDoxftxMLXeQpxjiD
         Qo/A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=f2oGgg9S;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id w17-20020a170902e89100b001b5006b87c0si6105313plg.139.2023.07.31.17.07.09;
        Mon, 31 Jul 2023 17:07:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=f2oGgg9S;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230411AbjGaXVs (ORCPT <rfc822;anothersharkwizard@gmail.com>
        + 99 others); Mon, 31 Jul 2023 19:21:48 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44082 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229604AbjGaXVn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 31 Jul 2023 19:21:43 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9BA9E124;
        Mon, 31 Jul 2023 16:21:23 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 9832961350;
        Mon, 31 Jul 2023 23:21:21 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 67782C433C8;
        Mon, 31 Jul 2023 23:21:20 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1690845681;
        bh=UeWtxD2MNERE0o3Lgj+lel/LnXy0KcpgccXB7U/54GU=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=f2oGgg9S3yIz52yJ7KNAtSVDd8dYYhn20eIwS9yNT9+YUUGJJlSr5iT2D82QWdou/
         z2i6XKFo7XK7rwBoyhAJBVLjPn+/fMFRdRmtJHOwY7tTb/I987iDV88Bhha5nKFOGt
         2m3UpTw0JTVCbVQi6tSHtvyVu6jJh5W7mJHPMm7rOelLGWpN2ausWEuqoZo6iE9Ebw
         IFoqiGwOSdiVSoyR25kCBgTscGEZCqx2plhcLnMHVSRo1RJ5HmNpw4pCRJRcZ0gX9N
         hIPlc6DqKRj9FydH4kMok/z2VSe9RHOsilQpFrdb7zLPqw8Adxv/cAMQShpK5JLCTe
         2fxOKi7k/qv4A==
Date:   Mon, 31 Jul 2023 16:24:26 -0700
From:   Bjorn Andersson <andersson@kernel.org>
To:     Praveenkumar I <quic_ipkumar@quicinc.com>
Cc:     agross@kernel.org, konrad.dybcio@linaro.org,
        linux-arm-msm@vger.kernel.org, linux-kernel@vger.kernel.org,
        quic_varada@quicinc.com, quic_clew@quicinc.com
Subject: Re: [PATCH v2] soc: qcom: qmi_encdec: Restrict string length in
 decode
Message-ID: <educjx3enypc4r5pzjb7vopaf2df2s4kzkpqsyecoysxws5422@arrsgt6vjej2>
References: <20230731100311.2506271-1-quic_ipkumar@quicinc.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230731100311.2506271-1-quic_ipkumar@quicinc.com>
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Mon, Jul 31, 2023 at 03:33:11PM +0530, Praveenkumar I wrote:
> The QMI TLV value for strings in a lot of qmi element info structures
> account for null terminated strings with MAX_LEN + 1. If a string is
> actually MAX_LEN + 1 length, this will cause an out of bounds access
> when the NULL character is appended in decoding.
> 
> Fixes: 9b8a11e82615 ("soc: qcom: Introduce QMI encoder/decoder")
> Cc: stable@vger.kernel.org
> Signed-off-by: Chris Lew <quic_clew@quicinc.com>
> Signed-off-by: Praveenkumar I <quic_ipkumar@quicinc.com>

The signed-off-by list says that Chris certified the patch's origin
first, then you took it, certified the origin and submitted it to the
mailing list.

This matches reality, but you lost Chris' authorship in the process,
please add that back.

Thanks,
Bjorn

> ---
> [v2]:
> 	Added Fixes and Cc: stable
> 
>  drivers/soc/qcom/qmi_encdec.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/soc/qcom/qmi_encdec.c b/drivers/soc/qcom/qmi_encdec.c
> index b7158e3c3a0b..5c7161b18b72 100644
> --- a/drivers/soc/qcom/qmi_encdec.c
> +++ b/drivers/soc/qcom/qmi_encdec.c
> @@ -534,8 +534,8 @@ static int qmi_decode_string_elem(const struct qmi_elem_info *ei_array,
>  		decoded_bytes += rc;
>  	}
>  
> -	if (string_len > temp_ei->elem_len) {
> -		pr_err("%s: String len %d > Max Len %d\n",
> +	if (string_len >= temp_ei->elem_len) {
> +		pr_err("%s: String len %d >= Max Len %d\n",
>  		       __func__, string_len, temp_ei->elem_len);
>  		return -ETOOSMALL;
>  	} else if (string_len > tlv_len) {
> -- 
> 2.34.1
>