Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2215947pxb;
        Mon, 11 Jan 2021 04:14:35 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz1Nt/OmcO8Jm+wP3brQ/ZRtiVDzk/wXSDmy6HgNQfb5w97CUQBITCNam+gELiuHQkE/sjs
X-Received: by 2002:a17:906:77c5:: with SMTP id m5mr10307902ejn.424.1610367275549;
        Mon, 11 Jan 2021 04:14:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1610367275; cv=none;
        d=google.com; s=arc-20160816;
        b=MQyIOgIU7BhuSt9/74hXzzVMG1rZ8eMZl87aa86R8jir18Hg+JpdHcOnnFf3tSIs3t
         Ic+0rVjEfM49EOxhDzemfj2xElSzyY1/gAigrCNGOOPi7by7i0fS+wXl3yOY+Lz4qGfQ
         D4JADJ4CaFmcIlMLvt0/OkFS5xK/XYHlxEKIxGkDi0pdGw9PdkKVelnn6foOWRtzBGSv
         BnDDQf1JOXstRTn9R606nP7RtAEppjIbFHf49vKVgz6cTMtGt0Y1vIkBcStxOxONrgCD
         1528L4d/XNey1lmAQDBvNg+6wUYvwbQn+r210oZtc7UlO+Sq8lFGxHUeGtd+8zdYNX5k
         YFtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:date:cc:to:from:subject
         :message-id;
        bh=R0WWbBH/9QdTpLdXolFf0nWizjnxdqP/MzyWLmiZvEI=;
        b=k/SSF244YhbDUqI3CXwg+b3iSWewRRN1UotfWu5Nj0Il+DPGEooIbn8YJ6FO5UF+/y
         t8eXiCd28fXzqtHT5vFGKK0fqp7+/58LmJIVF8Ab8ketv16cPgc6LHWcovbPyh7UNegk
         uQiXZrSp6433df7MzkNwcAVFTgG/EHIRWxg7EJQcu1DBlBnnygmXHTSP/q57OnuT98PP
         72F+MGh7NDvOqbnLAyldAqw3NT9/fjWmFTOhBOPOcGiZ4JG38EUNEFUTdbOGnNUN9wc3
         CjCJ6AeSA3ecMgEWVqwJaN46as1HFEMmS9VIWTe+pJYIOF5IcqK/S0ECJmF7eYDeoTJU
         nXHw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id qh18si6500248ejb.374.2021.01.11.04.14.08;
        Mon, 11 Jan 2021 04:14:35 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726477AbhAKMLl (ORCPT <rfc822;js.yoo.5b.dev@gmail.com>
        + 99 others); Mon, 11 Jan 2021 07:11:41 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36096 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726253AbhAKMLl (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 11 Jan 2021 07:11:41 -0500
Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C1A7C061786
        for <linux-wireless@vger.kernel.org>; Mon, 11 Jan 2021 04:11:01 -0800 (PST)
Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
        (Exim 4.94)
        (envelope-from <johannes@sipsolutions.net>)
        id 1kyw1Y-004pA1-6H; Mon, 11 Jan 2021 13:10:55 +0100
Message-ID: <036e334c2a0a2ebaf940d3f7ae03ab0d9f7c45fb.camel@sipsolutions.net>
Subject: Re: [PATCH] mac80211: fix incorrect strlen of .write in debugfs
From:   Johannes Berg <johannes@sipsolutions.net>
To:     Shayne Chen <shayne.chen@mediatek.com>
Cc:     linux-wireless <linux-wireless@vger.kernel.org>,
        Toke =?ISO-8859-1?Q?H=F8iland-J=F8rgensen?= <toke@toke.dk>,
        Felix Fietkau <nbd@nbd.name>,
        Lorenzo Bianconi <lorenzo.bianconi@redhat.com>,
        Ryder Lee <ryder.lee@mediatek.com>,
        linux-mediatek <linux-mediatek@lists.infradead.org>,
        Sujuan Chen <sujuan.chen@mediatek.com>
Date:   Mon, 11 Jan 2021 13:10:39 +0100
In-Reply-To: <1610345954.4985.7.camel@mtksdccf07>
References: <20210108105643.10834-1-shayne.chen@mediatek.com>
         <0efec65815ff9e26b3da69cb35d503a90086760c.camel@sipsolutions.net>
         <1610345954.4985.7.camel@mtksdccf07>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.36.5 (3.36.5-2.fc32) 
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-malware-bazaar: not-scanned
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

On Mon, 2021-01-11 at 14:19 +0800, Shayne Chen wrote:
> 
> Regarding the case "10\n\0\0\0\0", both count and strlen() fail to get
> the correct strlen.

Yeah.

I don't think we need to worry about this case.

> # echo "10\n\0\0\0\0" > /sys/kernel/debug/ieee80211/phy0/airtime_flags
> airtime_flags_write: count = 13, strlen = 15 
> > > +	buf[count] = '\0';
> > 
> > But if count == sizeof(buf) then this is an out-of-bounds write.
> > 
> > Same for all the other copied instances.
> > 
> > johannes
> > 
> 
> Should we consider this kind of case here?

Sure, we're at the kernel/userspace trust boundary, we can't just read
out-of-bounds? Or what do you mean?

johannes