* [PATCH] iommu/omap: fix buffer overflow in debugfs
@ 2022-08-04 14:32 Dan Carpenter
2022-08-04 16:26 ` Laurent Pinchart
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Dan Carpenter @ 2022-08-04 14:32 UTC (permalink / raw)
To: Joerg Roedel, Suman Anna
Cc: Will Deacon, Robin Murphy, Laurent Pinchart, iommu, kernel-janitors
There are two issues here:
1) The "len" variable needs to be checked before the very first write.
Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
been copied if there were enough space. But we want to know the
number of bytes which were *actually* copied so use scnprintf()
instead.
Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/iommu/omap-iommu-debug.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
index a99afb5d9011..259f65291d90 100644
--- a/drivers/iommu/omap-iommu-debug.c
+++ b/drivers/iommu/omap-iommu-debug.c
@@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
ssize_t bytes; \
const char *str = "%20s: %08x\n"; \
const int maxcol = 32; \
- bytes = snprintf(p, maxcol, str, __stringify(name), \
+ if (len < maxcol) \
+ goto out; \
+ bytes = scnprintf(p, maxcol, str, __stringify(name), \
iommu_read_reg(obj, MMU_##name)); \
p += bytes; \
len -= bytes; \
- if (len < maxcol) \
- goto out; \
} while (0)
static ssize_t
--
2.35.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/omap: fix buffer overflow in debugfs
2022-08-04 14:32 [PATCH] iommu/omap: fix buffer overflow in debugfs Dan Carpenter
@ 2022-08-04 16:26 ` Laurent Pinchart
2022-08-04 16:31 ` Robin Murphy
2022-09-07 8:42 ` Joerg Roedel
2 siblings, 0 replies; 5+ messages in thread
From: Laurent Pinchart @ 2022-08-04 16:26 UTC (permalink / raw)
To: Dan Carpenter
Cc: Joerg Roedel, Suman Anna, Will Deacon, Robin Murphy, iommu,
kernel-janitors
Hi Dan,
Thank you for the patch.
On Thu, Aug 04, 2022 at 05:32:39PM +0300, Dan Carpenter wrote:
> There are two issues here:
>
> 1) The "len" variable needs to be checked before the very first write.
> Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
> buffer overflow.
> 2) The snprintf() function returns the number of bytes that *would* have
> been copied if there were enough space. But we want to know the
> number of bytes which were *actually* copied so use scnprintf()
> instead.
>
> Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/iommu/omap-iommu-debug.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
> index a99afb5d9011..259f65291d90 100644
> --- a/drivers/iommu/omap-iommu-debug.c
> +++ b/drivers/iommu/omap-iommu-debug.c
> @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
> ssize_t bytes; \
> const char *str = "%20s: %08x\n"; \
> const int maxcol = 32; \
> - bytes = snprintf(p, maxcol, str, __stringify(name), \
> + if (len < maxcol) \
> + goto out; \
> + bytes = scnprintf(p, maxcol, str, __stringify(name), \
> iommu_read_reg(obj, MMU_##name)); \
> p += bytes; \
> len -= bytes; \
> - if (len < maxcol) \
> - goto out; \
> } while (0)
This could would really benefit from being rewritten using a static
table of register name and offset and a loop that iterates over it.
Still, this is a valid bug fix, so
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
> static ssize_t
--
Regards,
Laurent Pinchart
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/omap: fix buffer overflow in debugfs
2022-08-04 14:32 [PATCH] iommu/omap: fix buffer overflow in debugfs Dan Carpenter
2022-08-04 16:26 ` Laurent Pinchart
@ 2022-08-04 16:31 ` Robin Murphy
2022-08-05 6:37 ` Dan Carpenter
2022-09-07 8:42 ` Joerg Roedel
2 siblings, 1 reply; 5+ messages in thread
From: Robin Murphy @ 2022-08-04 16:31 UTC (permalink / raw)
To: Dan Carpenter, Joerg Roedel, Suman Anna
Cc: Will Deacon, Laurent Pinchart, iommu, kernel-janitors
On 04/08/2022 3:32 pm, Dan Carpenter wrote:
> There are two issues here:
>
> 1) The "len" variable needs to be checked before the very first write.
> Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
> buffer overflow.
> 2) The snprintf() function returns the number of bytes that *would* have
> been copied if there were enough space. But we want to know the
> number of bytes which were *actually* copied so use scnprintf()
> instead.
>
> Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
FWIW I think this has actually been broken since day one back in
14e0e6796a0d, but I'm also not inclined to care that much - 2014 is
already plenty long ago.
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> drivers/iommu/omap-iommu-debug.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
> index a99afb5d9011..259f65291d90 100644
> --- a/drivers/iommu/omap-iommu-debug.c
> +++ b/drivers/iommu/omap-iommu-debug.c
> @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
> ssize_t bytes; \
> const char *str = "%20s: %08x\n"; \
> const int maxcol = 32; \
> - bytes = snprintf(p, maxcol, str, __stringify(name), \
> + if (len < maxcol) \
> + goto out; \
> + bytes = scnprintf(p, maxcol, str, __stringify(name), \
> iommu_read_reg(obj, MMU_##name)); \
I suppose snprintf is OK in practice since none of the names are
anywhere near 20 characters long anyway, but I agree it's better to be
obviously foolproof. Frankly this code is all kinds of horrible anyway,
and deserves ripping out and replacing with a simple seq_file, but for
this fix as a fix,
Reviewed-by: Robin Murphy <robin.murphy@arm.com>
Cheers,
Robin.
> p += bytes; \
> len -= bytes; \
> - if (len < maxcol) \
> - goto out; \
> } while (0)
>
> static ssize_t
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/omap: fix buffer overflow in debugfs
2022-08-04 16:31 ` Robin Murphy
@ 2022-08-05 6:37 ` Dan Carpenter
0 siblings, 0 replies; 5+ messages in thread
From: Dan Carpenter @ 2022-08-05 6:37 UTC (permalink / raw)
To: Robin Murphy
Cc: Joerg Roedel, Suman Anna, Will Deacon, Laurent Pinchart, iommu,
kernel-janitors
On Thu, Aug 04, 2022 at 05:31:39PM +0100, Robin Murphy wrote:
> On 04/08/2022 3:32 pm, Dan Carpenter wrote:
> > There are two issues here:
> >
> > 1) The "len" variable needs to be checked before the very first write.
> > Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
> > buffer overflow.
> > 2) The snprintf() function returns the number of bytes that *would* have
> > been copied if there were enough space. But we want to know the
> > number of bytes which were *actually* copied so use scnprintf()
> > instead.
> >
> > Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules")
>
> FWIW I think this has actually been broken since day one back in
> 14e0e6796a0d, but I'm also not inclined to care that much - 2014 is already
> plenty long ago.
>
I don't know how I didn't see that. It's like my eyeballs are broken
sometimes. Possibly it should be:
Fixes: 14e0e6796a0d ("OMAP: iommu: add initial debugfs support")
Althought that's debatable as well...
> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> > ---
> > drivers/iommu/omap-iommu-debug.c | 6 +++---
> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >
> > diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
> > index a99afb5d9011..259f65291d90 100644
> > --- a/drivers/iommu/omap-iommu-debug.c
> > +++ b/drivers/iommu/omap-iommu-debug.c
> > @@ -32,12 +32,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj)
> > ssize_t bytes; \
> > const char *str = "%20s: %08x\n"; \
> > const int maxcol = 32; \
> > - bytes = snprintf(p, maxcol, str, __stringify(name), \
> > + if (len < maxcol) \
> > + goto out; \
> > + bytes = scnprintf(p, maxcol, str, __stringify(name), \
> > iommu_read_reg(obj, MMU_##name)); \
>
> I suppose snprintf is OK in practice since none of the names are anywhere
> near 20 characters long anyway, but I agree it's better to be obviously
> foolproof.
The issue with scnprintf() vs snprintf() is not the 32 character limit.
The issue is the "p - buf" math in omap2_iommu_dump_ctx(). The "p"
variable is past the end of the buffer. The user decides the size of
the buffer so it's a real bug.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] iommu/omap: fix buffer overflow in debugfs
2022-08-04 14:32 [PATCH] iommu/omap: fix buffer overflow in debugfs Dan Carpenter
2022-08-04 16:26 ` Laurent Pinchart
2022-08-04 16:31 ` Robin Murphy
@ 2022-09-07 8:42 ` Joerg Roedel
2 siblings, 0 replies; 5+ messages in thread
From: Joerg Roedel @ 2022-09-07 8:42 UTC (permalink / raw)
To: Dan Carpenter
Cc: Suman Anna, Will Deacon, Robin Murphy, Laurent Pinchart, iommu,
kernel-janitors
On Thu, Aug 04, 2022 at 05:32:39PM +0300, Dan Carpenter wrote:
> drivers/iommu/omap-iommu-debug.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
Applied, thanks.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-07 8:50 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-04 14:32 [PATCH] iommu/omap: fix buffer overflow in debugfs Dan Carpenter
2022-08-04 16:26 ` Laurent Pinchart
2022-08-04 16:31 ` Robin Murphy
2022-08-05 6:37 ` Dan Carpenter
2022-09-07 8:42 ` Joerg Roedel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.