[PATCH] usb: xhci: fix missing null termination after copy_from

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] usb: xhci: fix missing null termination after copy_from_user()
@ 2026-01-17  9:46 Weigang He
  2026-01-17  9:58 ` Greg KH
  0 siblings, 1 reply; 5+ messages in thread
From: Weigang He @ 2026-01-17  9:46 UTC (permalink / raw)
  To: mathias.nyman, gregkh; +Cc: linux-usb, linux-kernel, stable, Weigang He

The buffer 'buf' is filled by copy_from_user() but is not properly
null-terminated before being used with strncmp(). If userspace provides
fewer than 10 bytes, strncmp() may read beyond the copied data into
uninitialized stack memory.

Add explicit null termination after copy_from_user() to ensure the
buffer is always a valid C string before string operations.

Fixes: 87a03802184c ("xhci: debugfs: add debugfs interface to enable compliance mode for a port")
Cc: stable@vger.kernel.org
Signed-off-by: Weigang He <geoffreyhe2@gmail.com>
---
 drivers/usb/host/xhci-debugfs.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/host/xhci-debugfs.c b/drivers/usb/host/xhci-debugfs.c
index c1eb1036ede95..1e2350de77775 100644
--- a/drivers/usb/host/xhci-debugfs.c
+++ b/drivers/usb/host/xhci-debugfs.c
@@ -347,11 +347,13 @@ static ssize_t xhci_port_write(struct file *file,  const char __user *ubuf,
 	struct xhci_port	*port = s->private;
 	struct xhci_hcd		*xhci = hcd_to_xhci(port->rhub->hcd);
 	char                    buf[32];
+	size_t			len = min_t(size_t, sizeof(buf) - 1, count);
 	u32			portsc;
 	unsigned long		flags;
 
-	if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
+	if (copy_from_user(&buf, ubuf, len))
 		return -EFAULT;
+	buf[len] = '\0';
 
 	if (!strncmp(buf, "compliance", 10)) {
 		/* If CTC is clear, compliance is enabled by default */
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] usb: xhci: fix missing null termination after copy_from_user()
  2026-01-17  9:46 [PATCH] usb: xhci: fix missing null termination after copy_from_user() Weigang He
@ 2026-01-17  9:58 ` Greg KH
       [not found]   ` <SE1P216MB1822A187820001789CB4EE3AF28AA@SE1P216MB1822.KORP216.PROD.OUTLOOK.COM>
  2026-01-17 12:06   ` David Laight
  0 siblings, 2 replies; 5+ messages in thread
From: Greg KH @ 2026-01-17  9:58 UTC (permalink / raw)
  To: Weigang He; +Cc: mathias.nyman, linux-usb, linux-kernel, stable

On Sat, Jan 17, 2026 at 09:46:31AM +0000, Weigang He wrote:
> The buffer 'buf' is filled by copy_from_user() but is not properly
> null-terminated before being used with strncmp(). If userspace provides
> fewer than 10 bytes, strncmp() may read beyond the copied data into
> uninitialized stack memory.

But that's fine, it will not match the check, and so it will stop when
told, so no overflow happens anywhere.

> Add explicit null termination after copy_from_user() to ensure the
> buffer is always a valid C string before string operations.

It's ok, and is valid, and this is all debugging code.  This isn't a
real bug, sorry.

> Fixes: 87a03802184c ("xhci: debugfs: add debugfs interface to enable compliance mode for a port")
> Cc: stable@vger.kernel.org

Nope, this doesn't "fix" anything.

How was this bug found?  What tool did you use for this?  How was it tested?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

[parent not found: <SE1P216MB1822A187820001789CB4EE3AF28AA@SE1P216MB1822.KORP216.PROD.OUTLOOK.COM>]

* Re: [PATCH] usb: xhci: fix missing null termination after copy_from_user()
       [not found]   ` <SE1P216MB1822A187820001789CB4EE3AF28AA@SE1P216MB1822.KORP216.PROD.OUTLOOK.COM>
@ 2026-01-17 10:25     ` Greg KH
  0 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2026-01-17 10:25 UTC (permalink / raw)
  To: he geoffrey
  Cc: mathias.nyman@intel.com, linux-usb@vger.kernel.org,
	linux-kernel@vger.kernel.org, stable@vger.kernel.org

On Sat, Jan 17, 2026 at 10:13:35AM +0000, he geoffrey wrote:
> This bug is found via static analyzer codeql.

As per our documentation, please always state this.  Please read the
documentation and follow that for your future submissions.

Also note that the analyzer is wrong here, please report it and fix it :)

thanks,

greg k-h


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] usb: xhci: fix missing null termination after copy_from_user()
  2026-01-17  9:58 ` Greg KH
       [not found]   ` <SE1P216MB1822A187820001789CB4EE3AF28AA@SE1P216MB1822.KORP216.PROD.OUTLOOK.COM>
@ 2026-01-17 12:06   ` David Laight
  2026-01-17 12:17     ` Greg KH
  1 sibling, 1 reply; 5+ messages in thread
From: David Laight @ 2026-01-17 12:06 UTC (permalink / raw)
  To: Greg KH; +Cc: Weigang He, mathias.nyman, linux-usb, linux-kernel, stable

On Sat, 17 Jan 2026 10:58:41 +0100
Greg KH <gregkh@linuxfoundation.org> wrote:

> On Sat, Jan 17, 2026 at 09:46:31AM +0000, Weigang He wrote:
> > The buffer 'buf' is filled by copy_from_user() but is not properly
> > null-terminated before being used with strncmp(). If userspace provides
> > fewer than 10 bytes, strncmp() may read beyond the copied data into
> > uninitialized stack memory.  
> 
> But that's fine, it will not match the check, and so it will stop when
> told, so no overflow happens anywhere.

That's not entirely true.
If the user passes "complianc" (without a '\0') and the on-stack buf[9]
happens to be 'e' then the test will succeed rather than fail.

But the only thing that will get upset is KASAN.

More 'interestingly':
- why is it min_t() not min(), everything is size_t.
- why sizeof(buf) - 1, reading into the last byte won't matter.
- why buf[32] not buf[10], even [16] would be plenty for 'future expansion'.

	David


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] usb: xhci: fix missing null termination after copy_from_user()
  2026-01-17 12:06   ` David Laight
@ 2026-01-17 12:17     ` Greg KH
  0 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2026-01-17 12:17 UTC (permalink / raw)
  To: David Laight; +Cc: Weigang He, mathias.nyman, linux-usb, linux-kernel, stable

On Sat, Jan 17, 2026 at 12:06:32PM +0000, David Laight wrote:
> On Sat, 17 Jan 2026 10:58:41 +0100
> Greg KH <gregkh@linuxfoundation.org> wrote:
> 
> > On Sat, Jan 17, 2026 at 09:46:31AM +0000, Weigang He wrote:
> > > The buffer 'buf' is filled by copy_from_user() but is not properly
> > > null-terminated before being used with strncmp(). If userspace provides
> > > fewer than 10 bytes, strncmp() may read beyond the copied data into
> > > uninitialized stack memory.  
> > 
> > But that's fine, it will not match the check, and so it will stop when
> > told, so no overflow happens anywhere.
> 
> That's not entirely true.
> If the user passes "complianc" (without a '\0') and the on-stack buf[9]
> happens to be 'e' then the test will succeed rather than fail.

Ok, fair enough, but you are root doing this so you can do much worse
things to the system than this :)

> But the only thing that will get upset is KASAN.

Agreed.

> More 'interestingly':
> - why is it min_t() not min(), everything is size_t.
> - why sizeof(buf) - 1, reading into the last byte won't matter.
> - why buf[32] not buf[10], even [16] would be plenty for 'future expansion'.

It's debugfs, who are we to judge :)

greg k-h

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-01-17 12:17 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-01-17  9:46 [PATCH] usb: xhci: fix missing null termination after copy_from_user() Weigang He
2026-01-17  9:58 ` Greg KH
     [not found]   ` <SE1P216MB1822A187820001789CB4EE3AF28AA@SE1P216MB1822.KORP216.PROD.OUTLOOK.COM>
2026-01-17 10:25     ` Greg KH
2026-01-17 12:06   ` David Laight
2026-01-17 12:17     ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox