From: Tyrel Datwyler <tyreld@linux.ibm.com> To: bhelgaas@google.com Cc: linux-pci@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, mmc@linux.ibm.com, Tyrel Datwyler <tyreld@linux.ibm.com> Subject: [PATCH] rpadlpar: fix potential drc_name corruption in store functions Date: Wed, 10 Mar 2021 16:30:21 -0600 [thread overview] Message-ID: <20210310223021.423155-1-tyreld@linux.ibm.com> (raw) Both add_slot_store() and remove_slot_store() try to fix up the drc_name copied from the store buffer by placing a NULL terminator at nbyte + 1 or in place of a '\n' if present. However, the static buffer that we copy the drc_name data into is not zeored and can contain anything past the n-th byte. This is problematic if a '\n' byte appears in that buffer after nbytes and the string copied into the store buffer was not NULL terminated to start with as the strchr() search for a '\n' byte will mark this incorrectly as the end of the drc_name string resulting in a drc_name string that contains garbage data after the n-th byte. The following debugging shows an example of the drmgr utility writing "PHB 4543" to the add_slot sysfs attribute, but add_slot_store logging a corrupted string value. [135823.702864] drmgr: drmgr: -c phb -a -s PHB 4543 -d 1 [135823.702879] add_slot_store: drc_name = PHB 4543°|<82>!, rc = -19 Fix this by NULL terminating the string when we copy it into our static buffer by coping nbytes + 1 of data from the store buffer. The code has already made sure that nbytes is not >= MAX_DRC_NAME_LEN and the store buffer is guaranteed to be zeroed beyond the nth-byte of data copied from the user. Further, since the string is now NULL terminated the code only needs to change '\n' to '\0' when present. Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com> --- drivers/pci/hotplug/rpadlpar_sysfs.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/pci/hotplug/rpadlpar_sysfs.c b/drivers/pci/hotplug/rpadlpar_sysfs.c index cdbfa5df3a51..375087921284 100644 --- a/drivers/pci/hotplug/rpadlpar_sysfs.c +++ b/drivers/pci/hotplug/rpadlpar_sysfs.c @@ -34,12 +34,11 @@ static ssize_t add_slot_store(struct kobject *kobj, struct kobj_attribute *attr, if (nbytes >= MAX_DRC_NAME_LEN) return 0; - memcpy(drc_name, buf, nbytes); + memcpy(drc_name, buf, nbytes + 1); end = strchr(drc_name, '\n'); - if (!end) - end = &drc_name[nbytes]; - *end = '\0'; + if (end) + *end = '\0'; rc = dlpar_add_slot(drc_name); if (rc) @@ -65,12 +64,11 @@ static ssize_t remove_slot_store(struct kobject *kobj, if (nbytes >= MAX_DRC_NAME_LEN) return 0; - memcpy(drc_name, buf, nbytes); + memcpy(drc_name, buf, nbytes + 1); end = strchr(drc_name, '\n'); - if (!end) - end = &drc_name[nbytes]; - *end = '\0'; + if (end) + *end = '\0'; rc = dlpar_remove_slot(drc_name); if (rc) -- 2.27.0
WARNING: multiple messages have this Message-ID (diff)
From: Tyrel Datwyler <tyreld@linux.ibm.com> To: bhelgaas@google.com Cc: linux-pci@vger.kernel.org, mmc@linux.ibm.com, linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org, Tyrel Datwyler <tyreld@linux.ibm.com> Subject: [PATCH] rpadlpar: fix potential drc_name corruption in store functions Date: Wed, 10 Mar 2021 16:30:21 -0600 [thread overview] Message-ID: <20210310223021.423155-1-tyreld@linux.ibm.com> (raw) Both add_slot_store() and remove_slot_store() try to fix up the drc_name copied from the store buffer by placing a NULL terminator at nbyte + 1 or in place of a '\n' if present. However, the static buffer that we copy the drc_name data into is not zeored and can contain anything past the n-th byte. This is problematic if a '\n' byte appears in that buffer after nbytes and the string copied into the store buffer was not NULL terminated to start with as the strchr() search for a '\n' byte will mark this incorrectly as the end of the drc_name string resulting in a drc_name string that contains garbage data after the n-th byte. The following debugging shows an example of the drmgr utility writing "PHB 4543" to the add_slot sysfs attribute, but add_slot_store logging a corrupted string value. [135823.702864] drmgr: drmgr: -c phb -a -s PHB 4543 -d 1 [135823.702879] add_slot_store: drc_name = PHB 4543°|<82>!, rc = -19 Fix this by NULL terminating the string when we copy it into our static buffer by coping nbytes + 1 of data from the store buffer. The code has already made sure that nbytes is not >= MAX_DRC_NAME_LEN and the store buffer is guaranteed to be zeroed beyond the nth-byte of data copied from the user. Further, since the string is now NULL terminated the code only needs to change '\n' to '\0' when present. Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com> --- drivers/pci/hotplug/rpadlpar_sysfs.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/drivers/pci/hotplug/rpadlpar_sysfs.c b/drivers/pci/hotplug/rpadlpar_sysfs.c index cdbfa5df3a51..375087921284 100644 --- a/drivers/pci/hotplug/rpadlpar_sysfs.c +++ b/drivers/pci/hotplug/rpadlpar_sysfs.c @@ -34,12 +34,11 @@ static ssize_t add_slot_store(struct kobject *kobj, struct kobj_attribute *attr, if (nbytes >= MAX_DRC_NAME_LEN) return 0; - memcpy(drc_name, buf, nbytes); + memcpy(drc_name, buf, nbytes + 1); end = strchr(drc_name, '\n'); - if (!end) - end = &drc_name[nbytes]; - *end = '\0'; + if (end) + *end = '\0'; rc = dlpar_add_slot(drc_name); if (rc) @@ -65,12 +64,11 @@ static ssize_t remove_slot_store(struct kobject *kobj, if (nbytes >= MAX_DRC_NAME_LEN) return 0; - memcpy(drc_name, buf, nbytes); + memcpy(drc_name, buf, nbytes + 1); end = strchr(drc_name, '\n'); - if (!end) - end = &drc_name[nbytes]; - *end = '\0'; + if (end) + *end = '\0'; rc = dlpar_remove_slot(drc_name); if (rc) -- 2.27.0
next reply other threads:[~2021-03-10 22:31 UTC|newest] Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top 2021-03-10 22:30 Tyrel Datwyler [this message] 2021-03-10 22:30 ` [PATCH] rpadlpar: fix potential drc_name corruption in store functions Tyrel Datwyler 2021-03-13 9:17 ` Michal Suchánek 2021-03-14 22:32 ` Tyrel Datwyler 2021-03-15 2:52 ` Michael Ellerman 2021-03-15 16:58 ` Tyrel Datwyler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20210310223021.423155-1-tyreld@linux.ibm.com \ --to=tyreld@linux.ibm.com \ --cc=bhelgaas@google.com \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-pci@vger.kernel.org \ --cc=linuxppc-dev@lists.ozlabs.org \ --cc=mmc@linux.ibm.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.