Received: by 2002:a05:7412:d8a:b0:e2:908c:2ebd with SMTP id b10csp3432387rdg; Tue, 17 Oct 2023 14:57:00 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFHHp3Zj/Z/4pmUglVVy2V39PJzTkudZnEZXb4GysnzGWuJAUpAIhnoHwM+LLmjffr8DfTe X-Received: by 2002:a17:90a:d48b:b0:27d:3c11:3610 with SMTP id s11-20020a17090ad48b00b0027d3c113610mr3246849pju.33.1697579819729; Tue, 17 Oct 2023 14:56:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1697579819; cv=none; d=google.com; s=arc-20160816; b=DFIgFqCXgZ4hgHbE426m+LRv87l4zronLKEfsOCq3io0u/yu3XsvsB8FKLa6K3UuII 8HDKbuNyJ36lt0QbbIjmsGAtVqMp/vfFV9swg1QhZ1D7r9iv3kWqLy2t2mwN4veMC28n oTpi8k/F6/fkBtX0JhdcjRULPyoArrSFq+tXxrqSUS1HmGQLxRpBCE1WEo0h4UYJ6BcG MO4UFwzuXuEvgmrICA726SWD/C0a3RN5EBeCet95aV31s+SOBYTzAf85OwZkCCs/+R9Y qDLUJf+c59PvY/AoUvhczno8rEkOkTmJzQFBYLQfxWDX4OYqEiUjKr+zCttjpOyGiVdN YRRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=x6SecveUSZbKWLbjiW04X4UH95hRKYmyzqJ3SXHAuOw=; fh=AJsyA+3qZqsLl4+lLAuzNNrTRBIyuzoUPyVA7YilX2c=; b=uJ2dgILhBbLlq6v6xcbQwvLrhBpvX3eplZbG3PedpNvgKazn9VpPg4FZ3pFnm3+Zb9 MgUKBL3k8W6xrjjSMxjh1tLXcGeF2uAG14Z4c+p6k0o8rb3jdjRX+Uk7bStWFRrGDARk tpvytEwdhH1OOd147aVCqHvMXMj0RNM4ZvLwu7xgKYF9MoSrIyXn1X/hW/D4PLhQcVBA cvShGL47zRqzJYvnAM4a989UCXBS1vZbhDKE3fkCDVtxADbvBbSTgOMSgAxnS+gI9jRp NCzly5qrXG1r9Jf1a5+6OCEAfRUes/MHR5VHyid9dn8BR3VYHIFOL1a0bxxaT6p7akkm 42uA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=XibKjnOl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id ck3-20020a17090afe0300b0027d11201a11si25373pjb.170.2023.10.17.14.56.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Oct 2023 14:56:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20230601 header.b=XibKjnOl; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 52146802D321; Tue, 17 Oct 2023 14:56:57 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234787AbjJQV4w (ORCPT + 99 others); Tue, 17 Oct 2023 17:56:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51664 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230056AbjJQV4u (ORCPT ); Tue, 17 Oct 2023 17:56:50 -0400 Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2972DB0 for ; Tue, 17 Oct 2023 14:56:49 -0700 (PDT) Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-53eeb28e8e5so1859a12.1 for ; Tue, 17 Oct 2023 14:56:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1697579807; x=1698184607; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=x6SecveUSZbKWLbjiW04X4UH95hRKYmyzqJ3SXHAuOw=; b=XibKjnOlZ5UN+m2meVnEjGK9m3/4nXPq8SuLH0d3JwOvXMIurzEXFDdlQSzhd+z+N6 S1pMM8qsu8XkLT7vC/2UdpejID+of8zyWV3Hsk48+jJF2ID24bcJIso3HsXDnY+Gts0T qjpnRGIwiCWE0x+X8PWR7UhAXZrjz/V2yNtdVjSt9GKA2oc7OoYMhrumA7lSoUkDdoGx PcmNC1iSaJz2sBdqGENMSJ1+SG9KST4deVamdX4qJ1K74Q/fPPUsgmMXhC83hgtzVzU2 AWcj2cxQhzw7uknH5jfn4E35nPwfWou0pFpzx59r50sHmud4unhq7dTNwmZB5kbqxrYX uJcg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1697579807; x=1698184607; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=x6SecveUSZbKWLbjiW04X4UH95hRKYmyzqJ3SXHAuOw=; b=qdBo+k5cFWVRJaw14swDfBp9JJw3fTGaYH5kAO8nmarzXiewB/hLvV+DA0DS7fqAJw XKBjFD446h1AEMh87WRo+Vo8aE4+8xjZGaUyqR5ezfAqHt0/Zr06KaU8rHOFjrhgFq+X flT6mx5SY1+LXEZwCadkHQsc6nUjPqsBOd7djkjmBlFpcRa+tg9FKTc72jsA8KIDijHQ b2oEIHyxTNOUgOpHP6oxADVAGLVXYczz5LjM+ZRDyI6GEiXTEqbSHmeyEodjsHzcYM0C 7Cn/FhaG1nMMPncndbZsZNEWU+hQDjKBUHL3RB7/1hvlztJ8XIMN+qltywaxLm+fgE9f vj8g== X-Gm-Message-State: AOJu0Yz22E0Dmh3Lhp6mLhhg1/TSJ1D47BgjA5tArIgxt/JeXyB6cFFE osWXHhI+77+y+KyumHAHQvs8a7mYc422hExAhl6r8w== X-Received: by 2002:a50:a6d9:0:b0:53e:7ad7:6d47 with SMTP id f25-20020a50a6d9000000b0053e7ad76d47mr19944edc.5.1697579807512; Tue, 17 Oct 2023 14:56:47 -0700 (PDT) MIME-Version: 1.0 References: <20231017182026.2141163-1-danielmentz@google.com> <52a248fc-465e-4050-8692-5105b6aaa764@acm.org> In-Reply-To: <52a248fc-465e-4050-8692-5105b6aaa764@acm.org> From: Daniel Mentz Date: Tue, 17 Oct 2023 14:56:33 -0700 Message-ID: Subject: Re: [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string To: Bart Van Assche , Avri Altman Cc: "linux-scsi@vger.kernel.org" , "linux-kernel@vger.kernel.org" , Tomas Winkler , "Martin K . Petersen" , Mars Cheng , Yen-lin Lai Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-8.4 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 17 Oct 2023 14:56:57 -0700 (PDT) On Tue, Oct 17, 2023 at 12:33=E2=80=AFPM Bart Van Assche wrote: > > On 10/17/23 12:20, Avri Altman wrote: > >> Fixes: 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading") > > I think this code goes back to commit b573d484e4ff (scsi: ufs: add supp= ort to read device and string descriptors) > > Hmm ... it seems to me that there was no buffer overflow in commit > b573d484e4ff but that the buffer overflow was introduced by commit > 4b828fe156a6? Thank you for the review Avri. To me, it appears as if those two commits had different issues: commit b573d484e4ff ("scsi: ufs: add support to read device and string descriptors") failed to reliably NULL terminate the output string (in the case where ascii_len =3D=3D size - QUERY_DESC_HDR_SIZE). commit 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading") potentially performs an out-of-bounds array access while NULL terminating the output string. I would argue that the proposed fix wouldn't even fix the former and older commit b573d484e4ff, because that commit might have required more fixes like using kzalloc instead of kmalloc. I find that the newer commit 4b828fe156a6 did enough of refactoring for it to be considered the commit that needs this fix.