From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.2 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_CR_TRAILER,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E5A75C12002 for ; Mon, 19 Jul 2021 14:59:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CFEE160551 for ; Mon, 19 Jul 2021 14:59:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242191AbhGSOSo (ORCPT ); Mon, 19 Jul 2021 10:18:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:52200 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242036AbhGSORp (ORCPT ); Mon, 19 Jul 2021 10:17:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8FC0761002; Mon, 19 Jul 2021 14:58:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1626706703; bh=OqlVlW0LsU0vKxFeVLwwIwGvxA81aFwZAMHvf4kI+sU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xu7DwrWvQDNOTB701j3cEXkxMyaYLLSGvFG3lZLDub4RO4y/npsxQKmHx+v+4t67D +f1e4Bu37ie9WKOE7khNaVjateFwBvojcTahWYgT8ZJWfT2yrMYnXUj6uSqQHeDpvE M8AFR1Vj+K+euKPwNKFdt3KI3wbax89c9H/Yp2/g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, =?UTF-8?q?Krzysztof=20Wilczy=C5=84ski?= , Bjorn Helgaas , "Rafael J. Wysocki" , Sasha Levin Subject: [PATCH 4.4 061/188] ACPI: sysfs: Fix a buffer overrun problem with description_show() Date: Mon, 19 Jul 2021 16:50:45 +0200 Message-Id: <20210719144927.258926864@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210719144913.076563739@linuxfoundation.org> References: <20210719144913.076563739@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Krzysztof Wilczyński [ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ] Currently, a device description can be obtained using ACPI, if the _STR method exists for a particular device, and then exposed to the userspace via a sysfs object as a string value. If the _STR method is available for a given device then the data (usually a Unicode string) is read and stored in a buffer (of the ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the struct acpi_device_pnp for later access. The description_show() function is responsible for exposing the device description to the userspace via a corresponding sysfs object and internally calls the utf16s_to_utf8s() function with a pointer to the buffer that contains the Unicode string so that it can be converted from UTF16 encoding to UTF8 and thus allowing for the value to be safely stored and later displayed. When invoking the utf16s_to_utf8s() function, the description_show() function also sets a limit of the data that can be saved into a provided buffer as a result of the character conversion to be a total of PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns an integer value denoting the number of bytes that have been written into the provided buffer. Following the execution of the utf16s_to_utf8s() a newline character will be added at the end of the resulting buffer so that when the value is read in the userspace through the sysfs object then it would include newline making it more accessible when working with the sysfs file system in the shell, etc. Normally, this wouldn't be a problem, but if the function utf16s_to_utf8s() happens to return the number of bytes written to be precisely PAGE_SIZE, then we would overrun the buffer and write the newline character outside the allotted space which can have undefined consequences or result in a failure. To fix this buffer overrun, ensure that there always is enough space left for the newline character to be safely appended. Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") Signed-off-by: Krzysztof Wilczyński Reviewed-by: Bjorn Helgaas Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin --- drivers/acpi/device_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c index 139ee989b0d0..c201aaf287dc 100644 --- a/drivers/acpi/device_sysfs.c +++ b/drivers/acpi/device_sysfs.c @@ -450,7 +450,7 @@ static ssize_t description_show(struct device *dev, (wchar_t *)acpi_dev->pnp.str_obj->buffer.pointer, acpi_dev->pnp.str_obj->buffer.length, UTF16_LITTLE_ENDIAN, buf, - PAGE_SIZE); + PAGE_SIZE - 1); buf[result++] = '\n'; -- 2.30.2