| Message ID | 20210714122753.76021-1-zhuangyi1@huawei.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [v2] powerpc/rtas_flash: fix a potential buffer overflow | expand |
| Related | show |
| Context | Check | Description |
|---|---|---|
| snowpatch_ozlabs/github-powerpc_ppctests | success | Successfully ran 8 jobs. |
| snowpatch_ozlabs/github-powerpc_selftests | success | Successfully ran 8 jobs. |
| snowpatch_ozlabs/github-powerpc_sparse | success | Successfully ran 4 jobs. |
| snowpatch_ozlabs/github-powerpc_clang | success | Successfully ran 8 jobs. |
| snowpatch_ozlabs/github-powerpc_kernel_qemu | success | Successfully ran 25 jobs. |
Yi Zhuang <zhuangyi1@huawei.com> a écrit : > Since snprintf() returns the possible output size instead of the > actual output size, the available flash_msg length returned by > get_validate_flash_msg may exceed the given buffer limit when > simple_read_from_buffer calls copy_to_user > > Reported-by: kernel test robot <lkp@intel.com> > Fixes: a94a14720eaf5 powerpc/rtas_flash: Fix validate_flash buffer > overflow issue > Signed-off-by: Yi Zhuang <zhuangyi1@huawei.com> > --- > arch/powerpc/kernel/rtas_flash.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/arch/powerpc/kernel/rtas_flash.c > b/arch/powerpc/kernel/rtas_flash.c > index a99179d83538..062f0724c2ff 100644 > --- a/arch/powerpc/kernel/rtas_flash.c > +++ b/arch/powerpc/kernel/rtas_flash.c > @@ -470,9 +470,14 @@ static int get_validate_flash_msg(struct > rtas_validate_flash_t *args_buf, > if (args_buf->status >= VALIDATE_TMP_UPDATE) { > n = sprintf(msg, "%d\n", args_buf->update_results); > if ((args_buf->update_results >= VALIDATE_CUR_UNKNOWN) || > - (args_buf->update_results == VALIDATE_TMP_UPDATE)) > + (args_buf->update_results == VALIDATE_TMP_UPDATE)) { > n += snprintf(msg + n, msglen - n, "%s\n", > args_buf->buf); > + if (n >= msglen) { n cannot be greater than msglen > + n = msglen; > + printk(KERN_ERR "FLASH: msg too long.\n"); > + } > + } > } else { > n = sprintf(msg, "%d\n", args_buf->status); > } > -- > 2.26.0.106.g9fadedd
diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c index a99179d83538..062f0724c2ff 100644 --- a/arch/powerpc/kernel/rtas_flash.c +++ b/arch/powerpc/kernel/rtas_flash.c @@ -470,9 +470,14 @@ static int get_validate_flash_msg(struct rtas_validate_flash_t *args_buf, if (args_buf->status >= VALIDATE_TMP_UPDATE) { n = sprintf(msg, "%d\n", args_buf->update_results); if ((args_buf->update_results >= VALIDATE_CUR_UNKNOWN) || - (args_buf->update_results == VALIDATE_TMP_UPDATE)) + (args_buf->update_results == VALIDATE_TMP_UPDATE)) { n += snprintf(msg + n, msglen - n, "%s\n", args_buf->buf); + if (n >= msglen) { + n = msglen; + printk(KERN_ERR "FLASH: msg too long.\n"); + } + } } else { n = sprintf(msg, "%d\n", args_buf->status); }
Since snprintf() returns the possible output size instead of the actual output size, the available flash_msg length returned by get_validate_flash_msg may exceed the given buffer limit when simple_read_from_buffer calls copy_to_user Reported-by: kernel test robot <lkp@intel.com> Fixes: a94a14720eaf5 powerpc/rtas_flash: Fix validate_flash buffer overflow issue Signed-off-by: Yi Zhuang <zhuangyi1@huawei.com> --- arch/powerpc/kernel/rtas_flash.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)