From: Andy Shevchenko <andriy.shevchenko@intel.com>
To: 林妙倩 <linmq006@gmail.com>
Cc: "Markus Burri" <markus.burri@mt.com>,
"Lars-Peter Clausen" <lars@metafoo.de>,
"Michael Hennerich" <Michael.Hennerich@analog.com>,
"Jonathan Cameron" <jic23@kernel.org>,
"David Lechner" <dlechner@baylibre.com>,
"Nuno Sá" <nuno.sa@analog.com>,
"Andy Shevchenko" <andy@kernel.org>,
"Angelo Dureghello" <adureghello@baylibre.com>,
linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
Date: Tue, 28 Oct 2025 11:58:42 +0200 [thread overview]
Message-ID: <aQCT0q4hKtlVbJDU@smile.fi.intel.com> (raw)
In-Reply-To: <CAH-r-ZEG5qN5QNCJTnX_oK2uyheNjvzoAEgzuyTYyUWF4kf+wQ@mail.gmail.com>
On Tue, Oct 28, 2025 at 05:46:53PM +0800, 林妙倩 wrote:
> Andy Shevchenko <andriy.shevchenko@intel.com> 于2025年10月28日周二 17:07写道:
> > On Tue, Oct 28, 2025 at 10:19:27AM +0200, Andy Shevchenko wrote:
> > > On Tue, Oct 28, 2025 at 10:18:05AM +0200, Andy Shevchenko wrote:
> > > > On Mon, Oct 27, 2025 at 11:07:13PM +0800, Miaoqian Lin wrote:
...
> > > > > + if (count >= sizeof(buf))
> > > > > + return -ENOSPC;
> > > >
> > > > But this makes the validation too strict now.
> > > >
> > > > > ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf,
> > > > > count);
> > > >
> > > > You definitely failed to read the code that implements the above.
> > > >
>
> I previously read the simple_write_to_buffer(), but add the check and
> think it can help to catch error eariler. My mistake.
>
> > > > > if (ret < 0)
> > > > > return ret;
> > >
> > > > > - buf[count] = '\0';
> > > > > + buf[ret] = '\0';
> > >
> > > Maybe this line is what we might need, but I haven't checked deeper if it's a
> > > problem.
> >
> > So, copy_to_user() and copy_from_user() are always inlined macros.
> > The simple_write_to_buffer() is not. The question here is how
> > the __builit_object_size() will behave on the address given as a parameter to
> > copy_from_user() in simple_write_to_buffer().
> >
> > If it may detect reliably that the buffer is the size it has. I believe it's
> > easy for the byte arrays on stack.
> >
> > That said, without proof that compiler is unable to determine the destination
> > buffer size, this patch and the one by Markus are simple noise which actually
> > changes an error code on the overflow condition.
> >
> > The only line that assigns NUL character might be useful in some cases
> > (definitely when buffer comes through indirect calls from a heap, etc).
> >
>
> I believe it is still necessray to use buf[ret] = '\0'; intead of
> buf[count] = '\0';
> If you argee with this, I send a v2 with just this fix. Thanks.
As explained above, please try to model the situation and see if current code
is buggy, i.e. provide a step-by-step test case and show a traceback that
points to a out-of-boundary access in this function. (Note, you don't need to
have a HW for that, you might need to create a dummy IIO or other module with
the similar interface and run it, in such a case, share also link to the source
code of that module.) When you prove the problem exists, I will happily ACK
all similar patches, including yours.
> > > > NAK.
> > > >
> > > > This patch is an unneeded churn.
--
With Best Regards,
Andy Shevchenko
next prev parent reply other threads:[~2025-10-28 9:58 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-27 15:07 [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source Miaoqian Lin
2025-10-27 15:19 ` David Lechner
2025-10-27 16:05 ` Nuno Sá
2025-10-28 8:18 ` Andy Shevchenko
2025-10-28 8:19 ` Andy Shevchenko
2025-10-28 9:07 ` Andy Shevchenko
2025-10-28 9:46 ` 林妙倩
2025-10-28 9:58 ` Andy Shevchenko [this message]
2025-10-28 12:31 ` Nuno Sá
2025-10-28 14:45 ` Andy Shevchenko
2025-10-28 15:12 ` Nuno Sá
2025-10-28 15:19 ` Andy Shevchenko
2025-12-17 6:47 ` 林妙倩
2025-12-28 17:33 ` Andy Shevchenko
2025-10-28 11:40 ` Andy Shevchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aQCT0q4hKtlVbJDU@smile.fi.intel.com \
--to=andriy.shevchenko@intel.com \
--cc=Michael.Hennerich@analog.com \
--cc=adureghello@baylibre.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=jic23@kernel.org \
--cc=lars@metafoo.de \
--cc=linmq006@gmail.com \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=markus.burri@mt.com \
--cc=nuno.sa@analog.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.