Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp2215947pxb; Mon, 11 Jan 2021 04:14:35 -0800 (PST) X-Google-Smtp-Source: ABdhPJz1Nt/OmcO8Jm+wP3brQ/ZRtiVDzk/wXSDmy6HgNQfb5w97CUQBITCNam+gELiuHQkE/sjs X-Received: by 2002:a17:906:77c5:: with SMTP id m5mr10307902ejn.424.1610367275549; Mon, 11 Jan 2021 04:14:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610367275; cv=none; d=google.com; s=arc-20160816; b=MQyIOgIU7BhuSt9/74hXzzVMG1rZ8eMZl87aa86R8jir18Hg+JpdHcOnnFf3tSIs3t Ic+0rVjEfM49EOxhDzemfj2xElSzyY1/gAigrCNGOOPi7by7i0fS+wXl3yOY+Lz4qGfQ D4JADJ4CaFmcIlMLvt0/OkFS5xK/XYHlxEKIxGkDi0pdGw9PdkKVelnn6foOWRtzBGSv BnDDQf1JOXstRTn9R606nP7RtAEppjIbFHf49vKVgz6cTMtGt0Y1vIkBcStxOxONrgCD 1528L4d/XNey1lmAQDBvNg+6wUYvwbQn+r210oZtc7UlO+Sq8lFGxHUeGtd+8zdYNX5k YFtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=R0WWbBH/9QdTpLdXolFf0nWizjnxdqP/MzyWLmiZvEI=; b=k/SSF244YhbDUqI3CXwg+b3iSWewRRN1UotfWu5Nj0Il+DPGEooIbn8YJ6FO5UF+/y t8eXiCd28fXzqtHT5vFGKK0fqp7+/58LmJIVF8Ab8ketv16cPgc6LHWcovbPyh7UNegk uQiXZrSp6433df7MzkNwcAVFTgG/EHIRWxg7EJQcu1DBlBnnygmXHTSP/q57OnuT98PP 72F+MGh7NDvOqbnLAyldAqw3NT9/fjWmFTOhBOPOcGiZ4JG38EUNEFUTdbOGnNUN9wc3 CjCJ6AeSA3ecMgEWVqwJaN46as1HFEMmS9VIWTe+pJYIOF5IcqK/S0ECJmF7eYDeoTJU nXHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id qh18si6500248ejb.374.2021.01.11.04.14.08; Mon, 11 Jan 2021 04:14:35 -0800 (PST) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726477AbhAKMLl (ORCPT + 99 others); Mon, 11 Jan 2021 07:11:41 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36096 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726253AbhAKMLl (ORCPT ); Mon, 11 Jan 2021 07:11:41 -0500 Received: from sipsolutions.net (s3.sipsolutions.net [IPv6:2a01:4f8:191:4433::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0C1A7C061786 for ; Mon, 11 Jan 2021 04:11:01 -0800 (PST) Received: by sipsolutions.net with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.94) (envelope-from ) id 1kyw1Y-004pA1-6H; Mon, 11 Jan 2021 13:10:55 +0100 Message-ID: <036e334c2a0a2ebaf940d3f7ae03ab0d9f7c45fb.camel@sipsolutions.net> Subject: Re: [PATCH] mac80211: fix incorrect strlen of .write in debugfs From: Johannes Berg To: Shayne Chen Cc: linux-wireless , Toke =?ISO-8859-1?Q?H=F8iland-J=F8rgensen?= , Felix Fietkau , Lorenzo Bianconi , Ryder Lee , linux-mediatek , Sujuan Chen Date: Mon, 11 Jan 2021 13:10:39 +0100 In-Reply-To: <1610345954.4985.7.camel@mtksdccf07> References: <20210108105643.10834-1-shayne.chen@mediatek.com> <0efec65815ff9e26b3da69cb35d503a90086760c.camel@sipsolutions.net> <1610345954.4985.7.camel@mtksdccf07> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.36.5 (3.36.5-2.fc32) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-malware-bazaar: not-scanned Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org On Mon, 2021-01-11 at 14:19 +0800, Shayne Chen wrote: > > Regarding the case "10\n\0\0\0\0", both count and strlen() fail to get > the correct strlen. Yeah. I don't think we need to worry about this case. > # echo "10\n\0\0\0\0" > /sys/kernel/debug/ieee80211/phy0/airtime_flags > airtime_flags_write: count = 13, strlen = 15 > > > + buf[count] = '\0'; > > > > But if count == sizeof(buf) then this is an out-of-bounds write. > > > > Same for all the other copied instances. > > > > johannes > > > > Should we consider this kind of case here? Sure, we're at the kernel/userspace trust boundary, we can't just read out-of-bounds? Or what do you mean? johannes