[PATCH] powerpc/rtas_flash: fix a potential buffer overflow

[PATCH] powerpc/rtas_flash: fix a potential buffer overflow

[Yi Zhuang]

Since snprintf() returns the possible output size instead of the
actual output size, the available flash_msg length returned by
get_validate_flash_msg may exceed the given buffer limit when
simple_read_from_buffer calls copy_to_user

Signed-off-by: Yi Zhuang <zhuangyi1@huawei.com>
---
 arch/powerpc/kernel/rtas_flash.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/arch/powerpc/kernel/rtas_flash.c b/arch/powerpc/kernel/rtas_flash.c
index a99179d83538..4aa6bad28556 100644
--- a/arch/powerpc/kernel/rtas_flash.c
+++ b/arch/powerpc/kernel/rtas_flash.c
@@ -473,6 +473,10 @@ static int get_validate_flash_msg(struct rtas_validate_flash_t *args_buf,
 		    (args_buf->update_results == VALIDATE_TMP_UPDATE))
 			n += snprintf(msg + n, msglen - n, "%s\n",
 					args_buf->buf);
+			if (n >= msglen) {
+				n = msglen;
+				printk(KERN_ERR "FLASH: msg too long.\n");
+			}
 	} else {
 		n = sprintf(msg, "%d\n", args_buf->status);
 	}
-- 
2.26.0.106.g9fadedd

Re: [PATCH] powerpc/rtas_flash: fix a potential buffer overflow

[kernel test robot]

[-- Attachment #1: Type: text/plain, Size: 4423 bytes --]

Hi Yi,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on powerpc/next]
[also build test WARNING on v5.14-rc1 next-20210713]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Yi-Zhuang/powerpc-rtas_flash-fix-a-potential-buffer-overflow/20210714-090314
base:   https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git next
config: powerpc-allyesconfig (attached as .config)
compiler: powerpc64-linux-gcc (GCC) 9.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/546db7a99374dedd110a01801ad4456f56170d4d
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Yi-Zhuang/powerpc-rtas_flash-fix-a-potential-buffer-overflow/20210714-090314
        git checkout 546db7a99374dedd110a01801ad4456f56170d4d
        # save the attached .config to linux build tree
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross ARCH=powerpc 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   arch/powerpc/kernel/rtas_flash.c: In function 'get_validate_flash_msg':
>> arch/powerpc/kernel/rtas_flash.c:472:3: warning: this 'if' clause does not guard... [-Wmisleading-indentation]
     472 |   if ((args_buf->update_results >= VALIDATE_CUR_UNKNOWN) ||
         |   ^~
   arch/powerpc/kernel/rtas_flash.c:476:4: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the 'if'
     476 |    if (n >= msglen) {
         |    ^~


vim +/if +472 arch/powerpc/kernel/rtas_flash.c

^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  464  
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  465  static int get_validate_flash_msg(struct rtas_validate_flash_t *args_buf, 
a94a14720eaf55 arch/powerpc/kernel/rtas_flash.c Vasant Hegde   2013-05-07  466  		                   char *msg, int msglen)
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  467  {
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  468  	int n;
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  469  
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  470  	if (args_buf->status >= VALIDATE_TMP_UPDATE) { 
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  471  		n = sprintf(msg, "%d\n", args_buf->update_results);
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16 @472  		if ((args_buf->update_results >= VALIDATE_CUR_UNKNOWN) ||
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  473  		    (args_buf->update_results == VALIDATE_TMP_UPDATE))
a94a14720eaf55 arch/powerpc/kernel/rtas_flash.c Vasant Hegde   2013-05-07  474  			n += snprintf(msg + n, msglen - n, "%s\n",
a94a14720eaf55 arch/powerpc/kernel/rtas_flash.c Vasant Hegde   2013-05-07  475  					args_buf->buf);
546db7a99374de arch/powerpc/kernel/rtas_flash.c Yi Zhuang      2021-07-14  476  			if (n >= msglen) {
546db7a99374de arch/powerpc/kernel/rtas_flash.c Yi Zhuang      2021-07-14  477  				n = msglen;
546db7a99374de arch/powerpc/kernel/rtas_flash.c Yi Zhuang      2021-07-14  478  				printk(KERN_ERR "FLASH: msg too long.\n");
546db7a99374de arch/powerpc/kernel/rtas_flash.c Yi Zhuang      2021-07-14  479  			}
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  480  	} else {
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  481  		n = sprintf(msg, "%d\n", args_buf->status);
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  482  	}
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  483  	return n;
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  484  }
^1da177e4c3f41 arch/ppc64/kernel/rtas_flash.c   Linus Torvalds 2005-04-16  485  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 73240 bytes --]