* [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string
@ 2023-10-17 18:20 Daniel Mentz
2023-10-17 19:20 ` Avri Altman
2023-10-25 2:46 ` Martin K. Petersen
0 siblings, 2 replies; 5+ messages in thread
From: Daniel Mentz @ 2023-10-17 18:20 UTC (permalink / raw)
To: linux-scsi, linux-kernel
Cc: Tomas Winkler, Avri Altman, Martin K . Petersen, Daniel Mentz,
Mars Cheng, Bart Van Assche, Yen-lin Lai
utf16s_to_utf8s does not NULL terminate the output string. For us to be
able to add a NULL character when utf16s_to_utf8s returns, we need to
make sure that there is space for such NULL character at the end of the
output buffer. We can achieve this by passing an output buffer size to
utf16s_to_utf8s that is one character less than what we allocated.
Other call sites of utf16s_to_utf8s appear to be using the same
technique where they artificially reduce the buffer size by one to leave
space for a NULL character or line feed character.
Fixes: 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading")
Reviewed-by: Mars Cheng <marscheng@google.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Yen-lin Lai <yenlinlai@google.com>
Signed-off-by: Daniel Mentz <danielmentz@google.com>
---
drivers/ufs/core/ufshcd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c
index 8382e8cfa414..5767642982c1 100644
--- a/drivers/ufs/core/ufshcd.c
+++ b/drivers/ufs/core/ufshcd.c
@@ -3632,7 +3632,7 @@ int ufshcd_read_string_desc(struct ufs_hba *hba, u8 desc_index,
*/
ret = utf16s_to_utf8s(uc_str->uc,
uc_str->len - QUERY_DESC_HDR_SIZE,
- UTF16_BIG_ENDIAN, str, ascii_len);
+ UTF16_BIG_ENDIAN, str, ascii_len - 1);
/* replace non-printable or non-ASCII characters with spaces */
for (i = 0; i < ret; i++)
--
2.42.0.655.g421f12c284-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* RE: [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string
2023-10-17 18:20 [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string Daniel Mentz
@ 2023-10-17 19:20 ` Avri Altman
2023-10-17 19:33 ` Bart Van Assche
2023-10-25 2:46 ` Martin K. Petersen
1 sibling, 1 reply; 5+ messages in thread
From: Avri Altman @ 2023-10-17 19:20 UTC (permalink / raw)
To: Daniel Mentz, linux-scsi, linux-kernel
Cc: Tomas Winkler, Martin K . Petersen, Mars Cheng, Bart Van Assche,
Yen-lin Lai
> utf16s_to_utf8s does not NULL terminate the output string. For us to be able
> to add a NULL character when utf16s_to_utf8s returns, we need to make
> sure that there is space for such NULL character at the end of the output
> buffer. We can achieve this by passing an output buffer size to
> utf16s_to_utf8s that is one character less than what we allocated.
>
> Other call sites of utf16s_to_utf8s appear to be using the same technique
> where they artificially reduce the buffer size by one to leave space for a
> NULL character or line feed character.
>
> Fixes: 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading")
I think this code goes back to commit b573d484e4ff (scsi: ufs: add support to read device and string descriptors)
Reviewed-by: Avri Altman <avri.altman@wdc.com>
> Reviewed-by: Mars Cheng <marscheng@google.com>
> Reviewed-by: Bart Van Assche <bvanassche@acm.org>
> Reviewed-by: Yen-lin Lai <yenlinlai@google.com>
> Signed-off-by: Daniel Mentz <danielmentz@google.com>
> ---
> drivers/ufs/core/ufshcd.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/ufs/core/ufshcd.c b/drivers/ufs/core/ufshcd.c index
> 8382e8cfa414..5767642982c1 100644
> --- a/drivers/ufs/core/ufshcd.c
> +++ b/drivers/ufs/core/ufshcd.c
> @@ -3632,7 +3632,7 @@ int ufshcd_read_string_desc(struct ufs_hba *hba,
> u8 desc_index,
> */
> ret = utf16s_to_utf8s(uc_str->uc,
> uc_str->len - QUERY_DESC_HDR_SIZE,
> - UTF16_BIG_ENDIAN, str, ascii_len);
> + UTF16_BIG_ENDIAN, str, ascii_len -
> + 1);
>
> /* replace non-printable or non-ASCII characters with spaces */
> for (i = 0; i < ret; i++)
> --
> 2.42.0.655.g421f12c284-goog
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string
2023-10-17 19:20 ` Avri Altman
@ 2023-10-17 19:33 ` Bart Van Assche
2023-10-17 21:56 ` Daniel Mentz
0 siblings, 1 reply; 5+ messages in thread
From: Bart Van Assche @ 2023-10-17 19:33 UTC (permalink / raw)
To: Avri Altman, Daniel Mentz, linux-scsi, linux-kernel
Cc: Tomas Winkler, Martin K . Petersen, Mars Cheng, Yen-lin Lai
On 10/17/23 12:20, Avri Altman wrote:
>> Fixes: 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading")
> I think this code goes back to commit b573d484e4ff (scsi: ufs: add support to read device and string descriptors)
Hmm ... it seems to me that there was no buffer overflow in commit
b573d484e4ff but that the buffer overflow was introduced by commit
4b828fe156a6?
Thanks,
Bart.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string
2023-10-17 19:33 ` Bart Van Assche
@ 2023-10-17 21:56 ` Daniel Mentz
0 siblings, 0 replies; 5+ messages in thread
From: Daniel Mentz @ 2023-10-17 21:56 UTC (permalink / raw)
To: Bart Van Assche, Avri Altman
Cc: linux-scsi, linux-kernel, Tomas Winkler, Martin K . Petersen,
Mars Cheng, Yen-lin Lai
On Tue, Oct 17, 2023 at 12:33 PM Bart Van Assche <bvanassche@acm.org> wrote:
>
> On 10/17/23 12:20, Avri Altman wrote:
> >> Fixes: 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading")
> > I think this code goes back to commit b573d484e4ff (scsi: ufs: add support to read device and string descriptors)
>
> Hmm ... it seems to me that there was no buffer overflow in commit
> b573d484e4ff but that the buffer overflow was introduced by commit
> 4b828fe156a6?
Thank you for the review Avri.
To me, it appears as if those two commits had different issues:
commit b573d484e4ff ("scsi: ufs: add support to read device and string
descriptors") failed to reliably NULL terminate the output string (in
the case where ascii_len == size - QUERY_DESC_HDR_SIZE).
commit 4b828fe156a6 ("scsi: ufs: revamp string descriptor reading")
potentially performs an out-of-bounds array access while NULL
terminating the output string.
I would argue that the proposed fix wouldn't even fix the former and
older commit b573d484e4ff, because that commit might have required
more fixes like using kzalloc instead of kmalloc.
I find that the newer commit 4b828fe156a6 did enough of refactoring
for it to be considered the commit that needs this fix.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string
2023-10-17 18:20 [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string Daniel Mentz
2023-10-17 19:20 ` Avri Altman
@ 2023-10-25 2:46 ` Martin K. Petersen
1 sibling, 0 replies; 5+ messages in thread
From: Martin K. Petersen @ 2023-10-25 2:46 UTC (permalink / raw)
To: Daniel Mentz
Cc: linux-scsi, linux-kernel, Tomas Winkler, Avri Altman,
Martin K . Petersen, Mars Cheng, Bart Van Assche, Yen-lin Lai
Daniel,
> utf16s_to_utf8s does not NULL terminate the output string. For us to be
> able to add a NULL character when utf16s_to_utf8s returns, we need to
> make sure that there is space for such NULL character at the end of the
> output buffer. We can achieve this by passing an output buffer size to
> utf16s_to_utf8s that is one character less than what we allocated.
Applied to 6.7/scsi-staging, thanks!
--
Martin K. Petersen Oracle Linux Engineering
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-10-25 2:47 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-17 18:20 [PATCH] scsi: ufs: Leave space for '\0' in utf8 desc string Daniel Mentz
2023-10-17 19:20 ` Avri Altman
2023-10-17 19:33 ` Bart Van Assche
2023-10-17 21:56 ` Daniel Mentz
2023-10-25 2:46 ` Martin K. Petersen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.