From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S964960AbbLCMtv (ORCPT <rfc822;w@1wt.eu>);
	Thu, 3 Dec 2015 07:49:51 -0500
Received: from mout.kundenserver.de ([212.227.126.130]:57633 "EHLO
	mout.kundenserver.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932791AbbLCMtt (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Thu, 3 Dec 2015 07:49:49 -0500
From: Arnd Bergmann <arnd@arndb.de>
To: linux-arm-kernel@lists.infradead.org
Cc: Lee Jones <lee.jones@linaro.org>, Bjorn Andersson <bjorn@kryo.se>,
        Ohad Ben-Cohen <ohad@wizery.com>,
        "devicetree@vger.kernel.org" <devicetree@vger.kernel.org>,
        Florian Fainelli <f.fainelli@gmail.com>, kernel@stlinux.com,
        Nathan_Lynch@mentor.com,
        "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        ludovic.barre@st.com, Maxime Coquelin <maxime.coquelin@st.com>
Subject: Re: [RESEND v4 2/6] remoteproc: debugfs: Add ability to boot remote processor using debugfs
Date: Thu, 03 Dec 2015 13:49:09 +0100
Message-ID: <5329827.I5W30K072M@wuerfel>
User-Agent: KMail/4.11.5 (Linux/3.16.0-10-generic; KDE/4.11.5; x86_64; ; )
In-Reply-To: <20151203122634.GX12874@x1>
References: <1448370862-19120-1-git-send-email-lee.jones@linaro.org> <CAJAp7Og2MPapOQmCSB9o4qwQHsA8_iyAWPhjHYPw6J=xCK2xew@mail.gmail.com> <20151203122634.GX12874@x1>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Provags-ID: V03:K0:cEsX+J5AQjiaQkB6MWalq6SJy0aOtl1iC32bhT4dJxMHiaA8kFl
 Lq7uMW8V8k8R4mlJd9TmqxoSSdOSa8NQ9WkUcoIZgnHAMpe7HAaByI0BGHIdUf68EWHNaMa
 QW/uHAwYpTkNQ6ZRNi1el4xoXp55WnNrEah6KfRRw6OfSptRI8WXHwN6nVPHlYactYkwJ/a
 F5zxOibMzauwRkoUHsV3g==
X-UI-Out-Filterresults: notjunk:1;V01:K0:VH9wq33mK5M=:hABytr5NerbKIhWqcnMR3L
 n/0NukY7pG3CUmXLAMbsU8FOqtEyJbzJuvCAP+cbQ4G+N7n8tV/LKmKDaqtWYpptzUg4o+7/f
 dN6rUyyZ0sRjJoIEvc6Srd5W2UJlyiw/xgx5YaFw/RVBXGz30fQ18oJG23Jo1AecBz2911q8u
 +YY2ksETxgsWKOOx2J6M7PoV/XGxBZiZP59gIXFg/U4ILwPUnctWbtHsoP7Ktuu3Si1IqXqzE
 gul/XasyoelHpb606UhDHvSzP0Ozu1G09IAQnkkT+B7L+htuOJrxMCal/3dsjHgJS76FFZjy0
 Ewv+hohxdi7B7I4VjxywMHYU/+oSiDHNz6y04TwJ0mZ4aZnxt15tM84aMYj2wYWoMmeO5W6V4
 yjQQd6xK3PszCPxvYKvEDOwNnUL/IiofIL2IUP9K6IYXB2EdnFLDbg+x7eiYPmj9uzWuBUcEZ
 p6Kz8Q8UOfU1L5dGMWaZ0YNLkfWepMELqXZ33uquV9SUQuxlfPyUkgu8l0OnjaI8J+AHqBgkv
 8yz3nq6MMGf2mTxRlEKRXIFeGBt6iEaPM5cn1rSKMPBSqwBq3xZ9HjL6wZ1v9wcJWRy2NJxx+
 BJp7wgTDdfHLHS8HFu6hjtjO03yQcJJoAEJjzc1zBERmej93EVfsDWM3G7qKGZAhPRHDZCBVR
 aJtLkHt7vCLl90YbM/+Igg0NTs4IkuNWn2ZvkHsYqOPXFSOTz+5tIsipsCfZgMPMUXEYKeMLU
 ENbo5iyc3AZJMYMA
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thursday 03 December 2015 12:26:34 Lee Jones wrote:
> > >
> > > +static ssize_t rproc_state_write(struct file *filp, const char __user *userbuf,
> > > +                                size_t count, loff_t *ppos)
> > > +{
> > > +       struct rproc *rproc = filp->private_data;
> > > +       char buf[10];
> > > +       int ret;
> > > +
> > > +       if (count > sizeof(buf))
> > > +               return count;
> > > +       ret = copy_from_user(buf, userbuf, count);
> > > +       if (ret)
> > > +               return -EFAULT;
> > > +
> > > +       if (buf[count - 1] == '\n')
> > > +               buf[count - 1] = '\0';
> > 
> > I believe you can get here with count = 0.
> 
> I'm pretty sure you can't.
> 
> If you are sure that you can, if you can provide me with a way of
> testing, I'd be happy to put in provisions.
> 

I think that a zero-length write() from user space ends up in the write
file operation.

Also, we get a gcc warning about the out-of-bounds access for code like
this, and checking that count is larger than zero avoids the warning.

	Arnd

From mboxrd@z Thu Jan  1 00:00:00 1970
From: arnd@arndb.de (Arnd Bergmann)
Date: Thu, 03 Dec 2015 13:49:09 +0100
Subject: [RESEND v4 2/6] remoteproc: debugfs: Add ability to boot remote
 processor using debugfs
In-Reply-To: <20151203122634.GX12874@x1>
References: <1448370862-19120-1-git-send-email-lee.jones@linaro.org>
 <CAJAp7Og2MPapOQmCSB9o4qwQHsA8_iyAWPhjHYPw6J=xCK2xew@mail.gmail.com>
 <20151203122634.GX12874@x1>
Message-ID: <5329827.I5W30K072M@wuerfel>
To: linux-arm-kernel@lists.infradead.org
List-Id: linux-arm-kernel.lists.infradead.org

On Thursday 03 December 2015 12:26:34 Lee Jones wrote:
> > >
> > > +static ssize_t rproc_state_write(struct file *filp, const char __user *userbuf,
> > > +                                size_t count, loff_t *ppos)
> > > +{
> > > +       struct rproc *rproc = filp->private_data;
> > > +       char buf[10];
> > > +       int ret;
> > > +
> > > +       if (count > sizeof(buf))
> > > +               return count;
> > > +       ret = copy_from_user(buf, userbuf, count);
> > > +       if (ret)
> > > +               return -EFAULT;
> > > +
> > > +       if (buf[count - 1] == '\n')
> > > +               buf[count - 1] = '\0';
> > 
> > I believe you can get here with count = 0.
> 
> I'm pretty sure you can't.
> 
> If you are sure that you can, if you can provide me with a way of
> testing, I'd be happy to put in provisions.
> 

I think that a zero-length write() from user space ends up in the write
file operation.

Also, we get a gcc warning about the out-of-bounds access for code like
this, and checking that count is larger than zero avoids the warning.

	Arnd