linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Nuno Sá" <noname.nuno@gmail.com>
To: Andy Shevchenko <andriy.shevchenko@intel.com>,
	Miaoqian Lin <linmq006@gmail.com>,
	Markus Burri <markus.burri@mt.com>
Cc: "Lars-Peter Clausen" <lars@metafoo.de>,
	"Michael Hennerich" <Michael.Hennerich@analog.com>,
	"Jonathan Cameron" <jic23@kernel.org>,
	"David Lechner" <dlechner@baylibre.com>,
	"Nuno Sá" <nuno.sa@analog.com>,
	"Andy Shevchenko" <andy@kernel.org>,
	"Angelo Dureghello" <adureghello@baylibre.com>,
	linux-iio@vger.kernel.org, linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: Re: [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source
Date: Tue, 28 Oct 2025 12:31:04 +0000	[thread overview]
Message-ID: <071e3da4d69e10d64c54a18b7dd34ae11ab68f58.camel@gmail.com> (raw)
In-Reply-To: <aQCHt9JL0Bc4Pduv@smile.fi.intel.com>

On Tue, 2025-10-28 at 11:07 +0200, Andy Shevchenko wrote:
> On Tue, Oct 28, 2025 at 10:19:27AM +0200, Andy Shevchenko wrote:
> > On Tue, Oct 28, 2025 at 10:18:05AM +0200, Andy Shevchenko wrote:
> > > On Mon, Oct 27, 2025 at 11:07:13PM +0800, Miaoqian Lin wrote:
> 
> +Cc: Markus Burri for the da9374819eb3
> 
> ...
> 
> > > > +	if (count >= sizeof(buf))
> > > > +		return -ENOSPC;
> > > 
> > > But this makes the validation too strict now.
> > > 
> > > >  	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
> > > > userbuf,
> > > >  				     count);
> > > 
> > > You definitely failed to read the code that implements the above.
> > > 
> > > >  	if (ret < 0)
> > > >  		return ret;
> > 
> > > > -	buf[count] = '\0';
> > > > +	buf[ret] = '\0';
> > 
> > Maybe this line is what we might need, but I haven't checked deeper if it's
> > a
> > problem.
> 
> So, copy_to_user() and copy_from_user() are always inlined macros.
> The simple_write_to_buffer() is not. The question here is how
> the __builit_object_size() will behave on the address given as a parameter to
> copy_from_user() in simple_write_to_buffer().
> 
> If it may detect reliably that the buffer is the size it has. I believe it's
> easy for the byte arrays on stack.
> 

I think the above does not make sense (unless I'm missing your point which might
very well be). So, __builit_object_size() is for things known at compile time.
Moreover, simple_write_to_buffer() already has all of the gymnastics to make
sure copy_from_user() has the proper parameters. The thing is that it does it in
a "silent" way which means that if your buffer is not big enough you'll get a
concatenated string. Sure, you'll likely get an error down the road (due to an
invalid value) but I do see some value in returning back the root cause of the
issue.

So, the preliminary check while not being a big deal, it's also not completely
useless IMO. I do not have any strong feeling though. However, I think the below
is very much needed...

> That said, without proof that compiler is unable to determine the destination
> buffer size, this patch and the one by Markus are simple noise which actually
> changes an error code on the overflow condition.
> 
> The only line that assigns NUL character might be useful in some cases
> (definitely when buffer comes through indirect calls from a heap, etc).

I think you can easily pass a string >= than 64 bytes (from userspace). AFAIR,
you don't really set a size into debugfs files. For sure you can mess things
with zero sized binary attributes so I have some confidence you have the same
with debugfs.

And even if all the above is not reproducible I'm still of the opinion that

buf[ret] = '\0';

is semantically the correct code.

- Nuno Sá


  parent reply	other threads:[~2025-10-28 12:30 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-27 15:07 [PATCH] iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source Miaoqian Lin
2025-10-27 15:19 ` David Lechner
2025-10-27 16:05 ` Nuno Sá
2025-10-28  8:18 ` Andy Shevchenko
2025-10-28  8:19   ` Andy Shevchenko
2025-10-28  9:07     ` Andy Shevchenko
2025-10-28  9:46       ` 林妙倩
2025-10-28  9:58         ` Andy Shevchenko
2025-10-28 12:31       ` Nuno Sá [this message]
2025-10-28 14:45         ` Andy Shevchenko
2025-10-28 15:12           ` Nuno Sá
2025-10-28 15:19             ` Andy Shevchenko
2025-10-28 11:40 ` Andy Shevchenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=071e3da4d69e10d64c54a18b7dd34ae11ab68f58.camel@gmail.com \
    --to=noname.nuno@gmail.com \
    --cc=Michael.Hennerich@analog.com \
    --cc=adureghello@baylibre.com \
    --cc=andriy.shevchenko@intel.com \
    --cc=andy@kernel.org \
    --cc=dlechner@baylibre.com \
    --cc=jic23@kernel.org \
    --cc=lars@metafoo.de \
    --cc=linmq006@gmail.com \
    --cc=linux-iio@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=markus.burri@mt.com \
    --cc=nuno.sa@analog.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).