Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37;
From:   "Hennerich, Michael" <Michael.Hennerich@analog.com>
To:     Christophe JAILLET <christophe.jaillet@wanadoo.fr>,
        "keescook@chromium.org" <keescook@chromium.org>,
        Alexander Aring <alex.aring@gmail.com>,
        Stefan Schmidt <stefan@datenfreihafen.org>,
        Miquel Raynal <miquel.raynal@bootlin.com>,
        "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Marcel Holtmann <marcel@holtmann.org>
CC:     "linux-hardening@vger.kernel.org" <linux-hardening@vger.kernel.org>,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "kernel-janitors@vger.kernel.org" <kernel-janitors@vger.kernel.org>,
        Stefan Schmidt <stefan@osg.samsung.com>,
        "linux-wpan@vger.kernel.org" <linux-wpan@vger.kernel.org>,
        "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: RE: [PATCH net] net: ieee802154: adf7242: Fix some potential buffer
 overflow in adf7242_stats_show()
Thread-Topic: [PATCH net] net: ieee802154: adf7242: Fix some potential buffer
 overflow in adf7242_stats_show()
Thread-Index: AQHaBEj69vNVcmdAEkKRJdPJLN5zT7BW6mog
Date:   Mon, 23 Oct 2023 06:24:16 +0000
Message-ID: <SN7PR03MB7132B2112186F40E268727D38ED8A@SN7PR03MB7132.namprd03.prod.outlook.com>
References: <7ba06db8987298f082f83a425769fe6fa6715fe7.1697911385.git.christophe.jaillet@wanadoo.fr>
In-Reply-To: <7ba06db8987298f082f83a425769fe6fa6715fe7.1697911385.git.christophe.jaillet@wanadoo.fr>
Accept-Language: de-DE, en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?us-ascii?Q?PvtbIBznWqOT56Y6N/1mLlkDwGhOSjJL0BYhUD6BfA8kCEzPExgBZkLVOW02?=
 =?us-ascii?Q?WhMZUPKhLjLNlP9DTP4Hx/w2ZBSksDJNE26QAeN5+dpSIq1GAwh3CquY8BNa?=
 =?us-ascii?Q?siphyJTjHRAYorjdFZUfNRByncWcsjf3LeQfn7szrhyQtPPbWhdKwneszdqr?=
 =?us-ascii?Q?6BnnjJgNRwsOnrr4jzzDCDqT25LUPCjdHISlK9VIboZzcorxdZli40OhsNxC?=
 =?us-ascii?Q?woBdrsRalrG8bTHgM4NzKvMypFVNfEoe7hIn3jC9uyyju15G67DKyZrmXG2p?=
 =?us-ascii?Q?1Fdy8gM42fA4yYhisquCegAErZkMU9geuUvg3UbVzSi4re2Q2Fm/IvEV5sg2?=
 =?us-ascii?Q?Re30Yw/9VsXGBUNZcZ3M1KCziaRFQts+jjp/vQ6itgVmNqC5zysgAjvsZWhb?=
 =?us-ascii?Q?mCzGZVHAqwiRGRTS+fXuwKCxxIARYYAKyLIZO/EhpT2izccynpEqD/mWuII7?=
 =?us-ascii?Q?gQFzXZ6ySCL0/tBAhTrchLG0Y4J/ebDdwcWRhrLM1Y+IDh+BY/pemTfwQ4eG?=
 =?us-ascii?Q?jIuumGa6pGnQZzWafRUuq6Pfel4UxmuwIaqa4WHEJ3r/1qFclvsXIoo/Y3eK?=
 =?us-ascii?Q?cQE4NMzG+z/OW5P3TRcGPA8fDDO3kY6dKtdvIhgHTxav0MiWSt2eUM86d/cO?=
 =?us-ascii?Q?oBqYg2KOhGo9B5O3GIYrQv108kQk5ZgUZ1+jzbKDjw9SjVqclsa0BvR6xF9f?=
 =?us-ascii?Q?2wwXm+DRPwnxcwwhFC7Zjj9+dB67+a0FoQiL1x7/S1DMk4vaosmSDO7LDYzn?=
 =?us-ascii?Q?RYCHcCo4sJIDEKiP7zjow1wgbjJAtuW309iCrW6SL9vLKowSRCp2ZzEKgpCC?=
 =?us-ascii?Q?6IiGQ0NDBUBC9T9JyzYx9y+/U0iLvCdVic8zGlBWat/XNFBcVZhDe0H3q7a0?=
 =?us-ascii?Q?TZg9hHgQv+6MKA4uuy6w670AIejHkRAvG/tYxGy1iPrOn7qh8VnJcqfYg2Dp?=
 =?us-ascii?Q?p1KrdhXWW3uTnzoxgS9nNqgBEJ/YBAyfl25wLtW1CBs8bAp6Cq4Tp5CEPlq7?=
 =?us-ascii?Q?K3iZ9yKj9g0VA3pMHBWuoGTiP8NcYb1U3oRPDkj7eFe9Imz/iy8SucdJWPXC?=
 =?us-ascii?Q?tBRi7iAMSjeTn5BNtR3GpzA31JNsj//jAv+zsWcq1YYPSh5ngOIa0RViNufE?=
 =?us-ascii?Q?IMPG0UGEJq36gX/w9c7q/CS4WYNnim3qMxcYFgWMfNZ4PK/5tlQwQked/GN7?=
 =?us-ascii?Q?J6b69W0Mr1cn1L5W01ImX44HWBerd8tC4NJ+A1SvHVJEYc7NX0X8q7rM318W?=
 =?us-ascii?Q?4HszOOEkgYSQfmUgrWxlxFKALipwTKzLiNMNLkzsruaIksoSWzsaLHBbKljn?=
 =?us-ascii?Q?qJ2tm8HKzQ/jCfFNOT+fIeVyhWeBEIbX1lu7rn/1vU34tyJNfEnIpM4MoZoI?=
 =?us-ascii?Q?K6n9sJyXh/4cUtccTHyJHUOzyNAEsssDsvTKXlULc2CHp1+iZ2fOIgPMgyQ/?=
 =?us-ascii?Q?PKtpRCdrO2/SioYCPvv4U5IS16Log/XnOWjWHiXDANW6h+iTU2IsBmjA0kra?=
 =?us-ascii?Q?JRl8Gl/fwJOy3tYHL4h3ZiCqO7ZbZ3yV5QBoshgcQ2H3YmOs474KYgFVp57S?=
 =?us-ascii?Q?ghFbazfaUCX6tW5LG+I7llsEn0KNzsJFZP7NvplJU3B7YZVLRmC/Op4MAUKb?=
 =?us-ascii?Q?0g=3D=3D?=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: analog.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SN7PR03MB7132.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5dc72305-e376-40c3-a418-08dbd390aed3
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2023 06:24:16.4484
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: eaa689b4-8f87-40e0-9c6f-7228de4d754a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rixPErjm/9Yo5kdByc6aI60cxkI6dSVE/a+p0rIxWNVxIPiU8vhtwUGhDUI5gje9sXwxx8b3TxQSbUI12bCr9VKXO5C6ZGS28GD4yjggokI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL1PR03MB5957
X-Proofpoint-GUID: rzJh7cbR5jbKHSOp95nDnuBdS3X5Z4H7
X-Proofpoint-ORIG-GUID: rzJh7cbR5jbKHSOp95nDnuBdS3X5Z4H7
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.980,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-10-23_04,2023-10-19_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 bulkscore=0
 malwarescore=0 mlxlogscore=999 clxscore=1011 mlxscore=0 suspectscore=0
 priorityscore=1501 impostorscore=0 adultscore=0 lowpriorityscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2310170000 definitions=main-2310230055
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Sun, 22 Oct 2023 23:27:43 -0700 (PDT)


> -----Original Message-----
> From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> Sent: Samstag, 21. Oktober 2023 20:04
> To: keescook@chromium.org; Hennerich, Michael
> <Michael.Hennerich@analog.com>; Alexander Aring <alex.aring@gmail.com>;
> Stefan Schmidt <stefan@datenfreihafen.org>; Miquel Raynal
> <miquel.raynal@bootlin.com>; David S. Miller <davem@davemloft.net>; Eric
> Dumazet <edumazet@google.com>; Jakub Kicinski <kuba@kernel.org>; Paolo
> Abeni <pabeni@redhat.com>; Marcel Holtmann <marcel@holtmann.org>
> Cc: linux-hardening@vger.kernel.org; linux-kernel@vger.kernel.org; kernel=
-
> janitors@vger.kernel.org; Christophe JAILLET <christophe.jaillet@wanadoo.=
fr>;
> Stefan Schmidt <stefan@osg.samsung.com>; linux-wpan@vger.kernel.org;
> netdev@vger.kernel.org
> Subject: [PATCH net] net: ieee802154: adf7242: Fix some potential buffer
> overflow in adf7242_stats_show()
>=20
>=20
> strncat() usage in adf7242_debugfs_init() is wrong.
> The size given to strncat() is the maximum number of bytes that can be wr=
itten,
> excluding the trailing NULL.
>=20
> Here, the size that is passed, DNAME_INLINE_LEN, does not take into accou=
nt
> the size of "adf7242-" that is already in the array.
>=20
> In order to fix it, use snprintf() instead.
>=20
> Fixes: 7302b9d90117 ("ieee802154/adf7242: Driver for ADF7242 MAC
> IEEE802154")
> Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
> ---

Acked-by: Michael Hennerich <michael.hennerich@analog.com>

>  drivers/net/ieee802154/adf7242.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>=20
> diff --git a/drivers/net/ieee802154/adf7242.c
> b/drivers/net/ieee802154/adf7242.c
> index a03490ba2e5b..cc7ddc40020f 100644
> --- a/drivers/net/ieee802154/adf7242.c
> +++ b/drivers/net/ieee802154/adf7242.c
> @@ -1162,9 +1162,10 @@ static int adf7242_stats_show(struct seq_file *fil=
e,
> void *offset)
>=20
>  static void adf7242_debugfs_init(struct adf7242_local *lp)  {
> -	char debugfs_dir_name[DNAME_INLINE_LEN + 1] =3D "adf7242-";
> +	char debugfs_dir_name[DNAME_INLINE_LEN + 1];
>=20
> -	strncat(debugfs_dir_name, dev_name(&lp->spi->dev),
> DNAME_INLINE_LEN);
> +	snprintf(debugfs_dir_name, sizeof(debugfs_dir_name),
> +		 "adf7242-%s", dev_name(&lp->spi->dev));
>=20
>  	lp->debugfs_root =3D debugfs_create_dir(debugfs_dir_name, NULL);
>=20
> --
> 2.34.1