* [PATCH v2 1/3] staging: fbtft: Fix buffer overflow vulnerability
2017-02-15 3:27 [PATCH v2 0/3] staging: fbtft: Fix buffer overflow vulnerability Tobin C. Harding
@ 2017-02-15 3:27 ` Tobin C. Harding
2017-02-15 3:27 ` [PATCH v2 2/3] staging: fbtft: Replace magic number with constant Tobin C. Harding
2017-02-15 3:27 ` [PATCH v2 3/3] staging: fbtft: Add check on strlcpy() return value Tobin C. Harding
2 siblings, 0 replies; 5+ messages in thread
From: Tobin C. Harding @ 2017-02-15 3:27 UTC (permalink / raw)
To: Thomas Petazzoni, noralf
Cc: Greg Kroah-Hartman, devel, linux-kernel, Tobin C. Harding
Module copies a user supplied string (module parameter) into a buffer
using strncpy() and does not check that the buffer is null terminated.
Replace call to strncpy() with call to strlcpy() ensuring that the
buffer is null terminated.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
drivers/staging/fbtft/fbtft_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/fbtft/fbtft_device.c b/drivers/staging/fbtft/fbtft_device.c
index de46f8d..7b7223b 100644
--- a/drivers/staging/fbtft/fbtft_device.c
+++ b/drivers/staging/fbtft/fbtft_device.c
@@ -1483,7 +1483,7 @@ static int __init fbtft_device_init(void)
displays[i].pdev->name = name;
displays[i].spi = NULL;
} else {
- strncpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);
+ strlcpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);
displays[i].pdev = NULL;
}
}
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH v2 2/3] staging: fbtft: Replace magic number with constant
2017-02-15 3:27 [PATCH v2 0/3] staging: fbtft: Fix buffer overflow vulnerability Tobin C. Harding
2017-02-15 3:27 ` [PATCH v2 1/3] " Tobin C. Harding
@ 2017-02-15 3:27 ` Tobin C. Harding
2017-02-15 3:36 ` Joe Perches
2017-02-15 3:27 ` [PATCH v2 3/3] staging: fbtft: Add check on strlcpy() return value Tobin C. Harding
2 siblings, 1 reply; 5+ messages in thread
From: Tobin C. Harding @ 2017-02-15 3:27 UTC (permalink / raw)
To: Thomas Petazzoni, noralf
Cc: Greg Kroah-Hartman, devel, linux-kernel, Tobin C. Harding
Current call to strncmp() uses a magic number. There is a compile
time constant defined for this buffer, included and used already at
other sites in the file.
Remove magic number. Replace with pre-existing compile time constant.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
drivers/staging/fbtft/fbtft_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/fbtft/fbtft_device.c b/drivers/staging/fbtft/fbtft_device.c
index 7b7223b..5fbdd37 100644
--- a/drivers/staging/fbtft/fbtft_device.c
+++ b/drivers/staging/fbtft/fbtft_device.c
@@ -1489,7 +1489,7 @@ static int __init fbtft_device_init(void)
}
for (i = 0; i < ARRAY_SIZE(displays); i++) {
- if (strncmp(name, displays[i].name, 32) == 0) {
+ if (strncmp(name, displays[i].name, SPI_NAME_SIZE) == 0) {
if (displays[i].spi) {
spi = displays[i].spi;
spi->chip_select = cs;
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH v2 2/3] staging: fbtft: Replace magic number with constant
2017-02-15 3:27 ` [PATCH v2 2/3] staging: fbtft: Replace magic number with constant Tobin C. Harding
@ 2017-02-15 3:36 ` Joe Perches
0 siblings, 0 replies; 5+ messages in thread
From: Joe Perches @ 2017-02-15 3:36 UTC (permalink / raw)
To: Tobin C. Harding, Thomas Petazzoni, noralf
Cc: Greg Kroah-Hartman, devel, linux-kernel
On Wed, 2017-02-15 at 14:27 +1100, Tobin C. Harding wrote:
> Current call to strncmp() uses a magic number. There is a compile
> time constant defined for this buffer, included and used already at
> other sites in the file.
>
> Remove magic number. Replace with pre-existing compile time constant.
OK thanks, as well:
> diff --git a/drivers/staging/fbtft/fbtft_device.c b/drivers/staging/fbtft/fbtft_device.c
[]
> @@ -1489,7 +1489,7 @@ static int __init fbtft_device_init(void)
> }
>
> for (i = 0; i < ARRAY_SIZE(displays); i++) {
> - if (strncmp(name, displays[i].name, 32) == 0) {
> + if (strncmp(name, displays[i].name, SPI_NAME_SIZE) == 0) {
Maybe change this to:
if (strncmp(name, displays[i].name, SPI_NAME_SIZE) != 0)
continue;
and reduce the indentation of the rest of the block.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH v2 3/3] staging: fbtft: Add check on strlcpy() return value
2017-02-15 3:27 [PATCH v2 0/3] staging: fbtft: Fix buffer overflow vulnerability Tobin C. Harding
2017-02-15 3:27 ` [PATCH v2 1/3] " Tobin C. Harding
2017-02-15 3:27 ` [PATCH v2 2/3] staging: fbtft: Replace magic number with constant Tobin C. Harding
@ 2017-02-15 3:27 ` Tobin C. Harding
2 siblings, 0 replies; 5+ messages in thread
From: Tobin C. Harding @ 2017-02-15 3:27 UTC (permalink / raw)
To: Thomas Petazzoni, noralf
Cc: Greg Kroah-Hartman, devel, linux-kernel, Tobin C. Harding
Return value of strlcpy() is not checked. Name string is silently
truncated if longer that SPI_NAME_SIZE, whilst not detrimental to
the program logic it would be nice to notify the user. Module is
currently quite verbose, adding extra pr_warn() calls will not overly
impact this verbosity.
Check return value from call to strlcpy(). If source string is
truncated call pr_warn() to notify user.
Signed-off-by: Tobin C. Harding <me@tobin.cc>
---
drivers/staging/fbtft/fbtft_device.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/fbtft/fbtft_device.c b/drivers/staging/fbtft/fbtft_device.c
index 5fbdd37..78baf46 100644
--- a/drivers/staging/fbtft/fbtft_device.c
+++ b/drivers/staging/fbtft/fbtft_device.c
@@ -1483,7 +1483,13 @@ static int __init fbtft_device_init(void)
displays[i].pdev->name = name;
displays[i].spi = NULL;
} else {
- strlcpy(displays[i].spi->modalias, name, SPI_NAME_SIZE);
+ size_t len;
+
+ len = strlcpy(displays[i].spi->modalias, name,
+ SPI_NAME_SIZE);
+ if (len >= SPI_NAME_SIZE)
+ pr_warn("modalias (name) truncated to: %s\n",
+ displays[i].spi->modalias);
displays[i].pdev = NULL;
}
}
--
2.7.4
^ permalink raw reply related [flat|nested] 5+ messages in thread