From: "Nuno Sá" <noname.nuno@gmail.com>
To: David Lechner <dlechner@baylibre.com>,
Markus Burri <markus.burri@mt.com>,
linux-kernel@vger.kernel.org
Cc: Nuno Sa <nuno.sa@analog.com>,
Olivier Moysan <olivier.moysan@foss.st.com>,
Jonathan Cameron <jic23@kernel.org>,
Lars-Peter Clausen <lars@metafoo.de>,
linux-iio@vger.kernel.org, Markus Burri <markus.burri@bbv.ch>
Subject: Re: [PATCH v3] iio: backend: fix out-of-bound write
Date: Wed, 07 May 2025 07:23:34 +0100 [thread overview]
Message-ID: <66e8ea9630d69b16fbffdc55d2cf77e0820ebcc3.camel@gmail.com> (raw)
In-Reply-To: <aa7f18ce-9330-4a30-93e5-85489f507a42@baylibre.com>
On Tue, 2025-05-06 at 12:00 -0500, David Lechner wrote:
> On 5/5/25 3:38 PM, Markus Burri wrote:
> > The buffer is set to 80 character. If a caller write more characters,
> > count is truncated to the max available space in "simple_write_to_buffer".
> > But afterwards a string terminator is written to the buffer at offset count
> > without boundary check. The zero termination is written OUT-OF-BOUND.
> >
> > Add a check that the given buffer is smaller then the buffer to prevent.
> >
> > Fixes: 035b4989211d ("iio: backend: make sure to NULL terminate stack buffer")
> > Signed-off-by: Markus Burri <markus.burri@mt.com>
> > ---
> > drivers/iio/industrialio-backend.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/drivers/iio/industrialio-backend.c b/drivers/iio/industrialio-
> > backend.c
> > index a43c8d1bb3d0..4a364e038449 100644
> > --- a/drivers/iio/industrialio-backend.c
> > +++ b/drivers/iio/industrialio-backend.c
> > @@ -155,11 +155,14 @@ static ssize_t iio_backend_debugfs_write_reg(struct file
> > *file,
> > ssize_t rc;
> > int ret;
> >
> > + if (count >= sizeof(buf) - 1)
>
> Isn't it OK if count == sizeof(buf) - 1? In other words, should be:
>
> if (count >= sizeof(buf))
Oh, indeed you're right. Sorry Mark! I was the one asking for it but I did not
realized the comparison was '>='. So I was thinking if (count > sizeof(buf) - 1)
which is pretty much if (count >= sizeof(buf))
Arghh... Maybe Jonathan can tweak this while applying so you do not have to spin
another version because of this.
- Nuno Sá
>
> > + return -ENOSPC;
> > +
> > rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
> > if (rc < 0)
> > return rc;
> >
> > - buf[count] = '\0';
> > + buf[rc] = '\0';
> >
> > ret = sscanf(buf, "%i %i", &back->cached_reg_addr, &val);
> >
> >
> > base-commit: b4432656b36e5cc1d50a1f2dc15357543add530e
>
> It looks like we have the same or similar bugs in:
>
> drivers/accel/ivpu/ivpu_debugfs.c
> drivers/gpio/gpio-virtuser.c
> drivers/iio/industrialio-core.c
> drivers/iio/dac/ad3552r-hs.c
>
> Do you plan to fix these as well?
next prev parent reply other threads:[~2025-05-07 7:23 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-05 20:38 [PATCH v3] iio: backend: fix out-of-bound write Markus Burri
2025-05-06 6:48 ` Nuno Sá
2025-05-06 17:00 ` David Lechner
2025-05-07 6:23 ` Nuno Sá [this message]
2025-05-07 7:21 ` EXTERNAL - " Markus Burri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=66e8ea9630d69b16fbffdc55d2cf77e0820ebcc3.camel@gmail.com \
--to=noname.nuno@gmail.com \
--cc=dlechner@baylibre.com \
--cc=jic23@kernel.org \
--cc=lars@metafoo.de \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=markus.burri@bbv.ch \
--cc=markus.burri@mt.com \
--cc=nuno.sa@analog.com \
--cc=olivier.moysan@foss.st.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.