From patchwork Tue Jun 6 10:32:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xiang W X-Patchwork-Id: 1791082 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=LcEJTRwh; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=126.com header.i=@126.com header.a=rsa-sha256 header.s=s110527 header.b=B+SlPUKz; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Qb6KM289pz20WK for ; Tue, 6 Jun 2023 20:34:15 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=Nzy7bQJst8Oz7mjUhyKQ5llKHrVaKYicrhccj7AponM=; b=LcEJTRwhCwUs6Z 7Ev1oD1mSbD3BHe/PwekNWResaCasKpngzsIkChUXMsbNFsVi7EgJUJsIKPYzqEiZeDCgb0noUIrC crHoYPKPBMl1vedL81tLTciNIEjiuMwpdTixLRK1tK9uRPkcHmwZ8AAUrRaqM+GdVGQiR7HlMdmwR HFpGZytt4s9xltLF8z8hIsJL7YWK066QGX/M3srM4SSgWyS+FW3t6uT+ybZVD4FGi8kWnfrLDxla4 OAI+dt41ff1Lqrpi3msrKo+ekVp9lB2iCrhMHMBpTdd5okIAQze/9SOwLlm/A4X7W4em/A1foAWNJ iWiNYSdbE44g7G90YDDA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1q6U0p-001D84-2L; Tue, 06 Jun 2023 10:34:03 +0000 Received: from m126.mail.126.com ([220.181.12.37]) by bombadil.infradead.org with esmtp (Exim 4.96 #2 (Red Hat Linux)) id 1q6U0l-001D4c-2O for opensbi@lists.infradead.org; Tue, 06 Jun 2023 10:34:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=126.com; s=s110527; h=From:Subject:Date:Message-Id:MIME-Version; bh=gO1Us sV0pYvgjyhx6gtqrj3108Zw+Jv9yj22ArmxQIw=; b=B+SlPUKzRXVzchjBJSfMR wrvZ+fmq3QFzKn6ObwUCmbA+QrELJgOtjjNGT8zSnNg7drW7KWifZt85PkDU8sfE MgStTBa//su0xB7XjZUKYcisQSlTAl2aedGcsB++7bj1dDVymLgn8OGKmKfXG4X9 xOKopuzz+pGAjXjG8ishEY= Received: from x390.lan (unknown [58.247.180.116]) by zwqz-smtp-mta-g4-1 (Coremail) with SMTP id _____wBXkSBWC39kzRMeAw--.49105S2; Tue, 06 Jun 2023 18:32:55 +0800 (CST) From: Xiang W To: opensbi@lists.infradead.org Cc: Xiang W , anup@brainfault.org, jrtc27@jrtc27.com Subject: [PATCH v2 12/12] lib: sbi: Fix timing of clearing tbuf Date: Tue, 6 Jun 2023 18:32:48 +0800 Message-Id: <20230606103248.1218864-1-wxjstz@126.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-CM-TRANSID: _____wBXkSBWC39kzRMeAw--.49105S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7CFyrAw1rtFy8AFy8Jr45Awb_yoW8CFWUpr nIkF98JF4rtF1fW3ykAFnrCa1rA3s5G3WavrZrJ34rZF95J397urZ2gasYv3yrJr93Ar1Y kFn5JFy7ZFyUWrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRq9aQUUUUU= X-Originating-IP: [58.247.180.116] X-CM-SenderInfo: pz0m23b26rjloofrz/1tbiFxqGOlpEGb3Z8AAAsi X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20230606_033400_135749_4835B470 X-CRM114-Status: GOOD ( 10.44 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: A single scan of the format char may add multiple characters to the tbuf, causing a buffer overflow. You should check if tbuf is full in printc so that it does not cause a buffer overflow. Signed-off-by: Xiang W --- lib/sbi/sbi_console.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [wxjstz[at]126.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: opensbi@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "opensbi" Errors-To: opensbi-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org A single scan of the format char may add multiple characters to the tbuf, causing a buffer overflow. You should check if tbuf is full in printc so that it does not cause a buffer overflow. Signed-off-by: Xiang W --- lib/sbi/sbi_console.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/lib/sbi/sbi_console.c b/lib/sbi/sbi_console.c index 922de20..d4e2651 100644 --- a/lib/sbi/sbi_console.c +++ b/lib/sbi/sbi_console.c @@ -18,6 +18,8 @@ #define PAD_ZERO 2 #define PAD_ALTERNATE 4 #define PAD_SIGN 8 +#define USED_TBUF (1 << (8 * sizeof(int) - 1)) + #define PRINT_BUF_LEN 64 #define CONSOLE_TBUF_MAX 256 @@ -155,6 +157,11 @@ static void printc(struct print_info *info, char ch) info->pc++; } } + + if ((info->flags & USED_TBUF) && info->len - info->pos < 2) { + nputs_all(info->out, info->pos); + info->pos = 0; + } } static void prints(struct print_info *info, const char *string) @@ -248,6 +255,7 @@ static void print(struct print_info *info, const char *format, va_list args) bool use_tbuf = (!info->out) ? true : false; info->pos = 0; info->pc = 0; + info->flags = 0; /* * The console_tbuf is protected by console_out_lock and @@ -255,16 +263,12 @@ static void print(struct print_info *info, const char *format, va_list args) * when out == NULL. */ if (use_tbuf) { + info->flags |= USED_TBUF; info->out = console_tbuf; info->len = CONSOLE_TBUF_MAX; } for (; *format != 0; ++format) { - if (use_tbuf && info->len - info->pos < 2) { - nputs_all(info->out, info->pos); - info->pos = 0; - } - if (*format == '%') { ++format; if (*format == '\0') @@ -272,7 +276,7 @@ static void print(struct print_info *info, const char *format, va_list args) if (*format == '%') goto literal; /* Get flags */ - info->flags = 0; + info->flags &= USED_TBUF; flags_done = false; while (!flags_done) { switch (*format) {