From: Robin Murphy <robin.murphy@arm.com>
To: Dan Carpenter <dan.carpenter@oracle.com>,
Joerg Roedel <joro@8bytes.org>, Suman Anna <s-anna@ti.com>
Cc: Will Deacon <will@kernel.org>,
Laurent Pinchart <laurent.pinchart@ideasonboard.com>,
iommu@lists.linux.dev, kernel-janitors@vger.kernel.org
Subject: Re: [PATCH] iommu/omap: fix buffer overflow in debugfs
Date: Thu, 4 Aug 2022 17:31:39 +0100 [thread overview]
Message-ID: <90a760c4-6e88-07b4-1f20-8b10414e49aa@arm.com> (raw)
In-Reply-To: <YuvYh1JbE3v+abd5@kili>
On 04/08/2022 3:32 pm, Dan Carpenter wrote:
> There are two issues here:
>
> 1) The "len" variable needs to be checked before the very first write.
> Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
> buffer overflow.
> 2) The snprintf() function returns the number of bytes that *would* have
> been copied if there were enough space. But we want to know the
> number of bytes which were *actually* copied so use scnprintf()
> instead.
>
> Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
FWIW I think this has actually been broken since day one back in
14e0e6796a0d, but I'm also not inclined to care that much - 2014 is
already plenty long ago.
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/iommu/omap-iommu-debug.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
> index a99afb5d9011..259f65291d90 100644
> --- a/drivers/iommu/omap-iommu-debug.c
> +++ b/drivers/iommu/omap-iommu-debug.c
> @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
> ssize_t bytes; \
> const char *str = "%20s: %08x\n"; \
> const int maxcol = 32; \
> - bytes = snprintf(p, maxcol, str, __stringify(name), \
> + if (len < maxcol) \
> + goto out; \
> + bytes = scnprintf(p, maxcol, str, __stringify(name), \
> iommu_read_reg(obj, MMU_##name)); \
I suppose snprintf is OK in practice since none of the names are
anywhere near 20 characters long anyway, but I agree it's better to be
obviously foolproof. Frankly this code is all kinds of horrible anyway,
and deserves ripping out and replacing with a simple seq_file, but for
this fix as a fix,
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Cheers,
Robin.
> p += bytes; \
> len -= bytes; \
> - if (len < maxcol) \
> - goto out; \
> } while (0)
>
> static ssize_t
next prev parent reply other threads:[~2022-08-04 16:31 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-04 14:32 [PATCH] iommu/omap: fix buffer overflow in debugfs Dan Carpenter
2022-08-04 16:26 ` Laurent Pinchart
2022-08-04 16:31 ` Robin Murphy [this message]
2022-08-05 6:37 ` Dan Carpenter
2022-09-07 8:42 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=90a760c4-6e88-07b4-1f20-8b10414e49aa@arm.com \
--to=robin.murphy@arm.com \
--cc=dan.carpenter@oracle.com \
--cc=iommu@lists.linux.dev \
--cc=joro@8bytes.org \
--cc=kernel-janitors@vger.kernel.org \
--cc=laurent.pinchart@ideasonboard.com \
--cc=s-anna@ti.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.