From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=lYaZ=MG=lists.ozlabs.org=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id E62C1C07E9A
	for <linuxppc-dev@archiver.kernel.org>; Wed, 14 Jul 2021 16:47:52 +0000 (UTC)
Received: from lists.ozlabs.org (lists.ozlabs.org [112.213.38.117])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id 4505C613C3
	for <linuxppc-dev@archiver.kernel.org>; Wed, 14 Jul 2021 16:47:52 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4505C613C3
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=csgroup.eu
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org
Received: from boromir.ozlabs.org (localhost [IPv6:::1])
	by lists.ozlabs.org (Postfix) with ESMTP id 4GQ3Mp5N62z305k
	for <linuxppc-dev@archiver.kernel.org>; Thu, 15 Jul 2021 02:47:50 +1000 (AEST)
Authentication-Results: lists.ozlabs.org; spf=pass (sender SPF authorized)
 smtp.mailfrom=csgroup.eu (client-ip=93.17.236.30; helo=pegase1.c-s.fr;
 envelope-from=christophe.leroy@csgroup.eu; receiver=<UNKNOWN>)
Received: from pegase1.c-s.fr (pegase1.c-s.fr [93.17.236.30])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.ozlabs.org (Postfix) with ESMTPS id 4GQ3ML01vyz2yyv
 for <linuxppc-dev@lists.ozlabs.org>; Thu, 15 Jul 2021 02:47:21 +1000 (AEST)
Received: from localhost (mailhub3.si.c-s.fr [192.168.12.233])
 by localhost (Postfix) with ESMTP id 4GQ3M84JMBzB8Hs;
 Wed, 14 Jul 2021 18:47:16 +0200 (CEST)
X-Virus-Scanned: amavisd-new at c-s.fr
Received: from pegase1.c-s.fr ([192.168.12.234])
 by localhost (pegase1.c-s.fr [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 0IiR9O4UV1kh; Wed, 14 Jul 2021 18:47:16 +0200 (CEST)
Received: from vm-hermes.si.c-s.fr (vm-hermes.si.c-s.fr [192.168.25.253])
 by pegase1.c-s.fr (Postfix) with ESMTP id 4GQ3M82K49zB84P;
 Wed, 14 Jul 2021 18:47:16 +0200 (CEST)
Received: by vm-hermes.si.c-s.fr (Postfix, from userid 33)
 id 3FAD3638; Wed, 14 Jul 2021 18:52:24 +0200 (CEST)
Received: from 37.164.227.125 ([37.164.227.125]) by messagerie.c-s.fr (Horde
 Framework) with HTTP; Wed, 14 Jul 2021 18:52:24 +0200
Date: Wed, 14 Jul 2021 18:52:24 +0200
Message-ID: <20210714185224.Horde.SuBZAzTXvfB6J6HsqQkOog6@messagerie.c-s.fr>
From: Christophe Leroy <christophe.leroy@csgroup.eu>
To: Yi Zhuang <zhuangyi1@huawei.com>
Subject: Re: [PATCH v2] powerpc/rtas_flash: fix a potential buffer overflow
In-Reply-To: <20210714122753.76021-1-zhuangyi1@huawei.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.2.3)
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-BeenThere: linuxppc-dev@lists.ozlabs.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Linux on PowerPC Developers Mail List <linuxppc-dev.lists.ozlabs.org>
List-Unsubscribe: <https://lists.ozlabs.org/options/linuxppc-dev>,
 <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=unsubscribe>
List-Archive: <http://lists.ozlabs.org/pipermail/linuxppc-dev/>
List-Post: <mailto:linuxppc-dev@lists.ozlabs.org>
List-Help: <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=help>
List-Subscribe: <https://lists.ozlabs.org/listinfo/linuxppc-dev>,
 <mailto:linuxppc-dev-request@lists.ozlabs.org?subject=subscribe>
Cc: hegdevasant@linux.vnet.ibm.com, paulus@samba.org,
 linuxppc-dev@lists.ozlabs.org, linux-kernel@vger.kernel.org
Errors-To: linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org
Sender: "Linuxppc-dev"
 <linuxppc-dev-bounces+linuxppc-dev=archiver.kernel.org@lists.ozlabs.org>

Yi Zhuang <zhuangyi1@huawei.com> a =C3=A9crit=C2=A0:

> Since snprintf() returns the possible output size instead of the
> actual output size, the available flash_msg length returned by
> get_validate_flash_msg may exceed the given buffer limit when
> simple_read_from_buffer calls copy_to_user
>
> Reported-by: kernel test robot <lkp@intel.com>
> Fixes: a94a14720eaf5 powerpc/rtas_flash: Fix validate_flash buffer=20=20
>=20overflow issue
> Signed-off-by: Yi Zhuang <zhuangyi1@huawei.com>
> ---
>  arch/powerpc/kernel/rtas_flash.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/arch/powerpc/kernel/rtas_flash.c=20=20
>=20b/arch/powerpc/kernel/rtas_flash.c
> index a99179d83538..062f0724c2ff 100644
> --- a/arch/powerpc/kernel/rtas_flash.c
> +++ b/arch/powerpc/kernel/rtas_flash.c
> @@ -470,9 +470,14 @@ static int get_validate_flash_msg(struct=20=20
>=20rtas_validate_flash_t *args_buf,
>  	if (args_buf->status >=3D VALIDATE_TMP_UPDATE) {
>  		n =3D sprintf(msg, "%d\n", args_buf->update_results);
>  		if ((args_buf->update_results >=3D VALIDATE_CUR_UNKNOWN) ||
> -		    (args_buf->update_results =3D=3D VALIDATE_TMP_UPDATE))
> +		    (args_buf->update_results =3D=3D VALIDATE_TMP_UPDATE)) {
>  			n +=3D snprintf(msg + n, msglen - n, "%s\n",
>  					args_buf->buf);
> +			if (n >=3D msglen) {

n cannot be greater than msglen


> +				n =3D msglen;
> +				printk(KERN_ERR "FLASH: msg too long.\n");
> +			}
> +		}
>  	} else {
>  		n =3D sprintf(msg, "%d\n", args_buf->status);
>  	}
> --
> 2.26.0.106.g9fadedd