From: Cyrill Gorcunov <gorcunov@gmail.com>
To: Jean Delvare <jdelvare@suse.de>
Cc: LKML <linux-kernel@vger.kernel.org>
Subject: [PATCH v2] firmware: dmi: Respect buffer size in get_modalias
Date: Sun, 30 Mar 2025 01:39:40 +0300 [thread overview]
Message-ID: <Z-h2rOF2ulYAS3_j@grain> (raw)
In-Reply-To: <Z9NYLCdVfp2Nzet9@grain>
When we collect data from DMI info the "dmi" prefix is copied unconditionally
which may result in buffer overflow in case of filling uevent environment.
Thus lets use strscpy() helper instead. Same time make all get_modalias()
callers to handler error.
CC: Jean Delvare <jdelvare@suse.com>
Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
---
v2:
- add comment about reserving space for suffix
- check for error in callers
drivers/firmware/dmi-id.c | 30 +++++++++++++++++++-----------
1 file changed, 19 insertions(+), 11 deletions(-)
Index: linux-tip.git/drivers/firmware/dmi-id.c
===================================================================
--- linux-tip.git.orig/drivers/firmware/dmi-id.c
+++ linux-tip.git/drivers/firmware/dmi-id.c
@@ -103,8 +103,15 @@ static ssize_t get_modalias(char *buffer
char *p;
const struct mafield *f;
- strcpy(buffer, "dmi");
- p = buffer + 3; left = buffer_size - 4;
+ l = strscpy(buffer, "dmi", buffer_size);
+ if (l < 0)
+ return -ENOMEM;
+ p = buffer + l;
+
+ /* Reserve place for suffix */
+ left = buffer_size - l - 1;
+ if (left < 0)
+ return -ENOMEM;
for (f = fields; f->prefix && left > 0; f++) {
const char *c;
@@ -125,20 +132,21 @@ static ssize_t get_modalias(char *buffer
left -= l;
}
- p[0] = ':';
- p[1] = 0;
+ *p++ = ':';
+ *p = 0;
- return p - buffer + 1;
+ return p - buffer;
}
static ssize_t sys_dmi_modalias_show(struct device *dev,
struct device_attribute *attr, char *page)
{
- ssize_t r;
- r = get_modalias(page, PAGE_SIZE-1);
- page[r] = '\n';
- page[r+1] = 0;
- return r+1;
+ ssize_t r = get_modalias(page, PAGE_SIZE-1);
+ if (r > 0) {
+ page[r++] = '\n';
+ page[r] = 0;
+ }
+ return r;
}
static struct device_attribute sys_dmi_modalias_attr =
@@ -163,7 +171,7 @@ static int dmi_dev_uevent(const struct d
return -ENOMEM;
len = get_modalias(&env->buf[env->buflen - 1],
sizeof(env->buf) - env->buflen);
- if (len >= (sizeof(env->buf) - env->buflen))
+ if (len < 0)
return -ENOMEM;
env->buflen += len;
return 0;
prev parent reply other threads:[~2025-03-29 22:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-20 20:53 [PATCH] firmware: dmi: Respect buffer size in get_modalias Cyrill Gorcunov
2025-03-12 19:54 ` Cyrill Gorcunov
2025-03-13 18:41 ` Jean Delvare
2025-03-13 22:11 ` Cyrill Gorcunov
2025-03-29 22:39 ` Cyrill Gorcunov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z-h2rOF2ulYAS3_j@grain \
--to=gorcunov@gmail.com \
--cc=jdelvare@suse.de \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox