From: "Krzysztof Wilczyński" <kw@linux.com>
To: Bjorn Helgaas <bhelgaas@google.com>
Cc: Logan Gunthorpe <logang@deltatee.com>,
Joe Perches <joe@perches.com>,
"Oliver O'Halloran" <oohall@gmail.com>,
Michael Ellerman <mpe@ellerman.id.au>,
Benjamin Herrenschmidt <benh@kernel.crashing.org>,
Paul Mackerras <paulus@samba.org>,
Tyrel Datwyler <tyreld@linux.ibm.com>,
Russell Currey <ruscur@russell.cc>,
Kurt Schwemmer <kurt.schwemmer@microsemi.com>,
Vidya Sagar <vidyas@nvidia.com>,
Xiongfeng Wang <wangxiongfeng2@huawei.com>,
linux-pci@vger.kernel.org
Subject: [PATCH v6 6/6] PCI/sysfs: Fix a buffer overrun problem with dsm_label_utf16s_to_utf8s()
Date: Thu, 3 Jun 2021 00:01:12 +0000 [thread overview]
Message-ID: <20210603000112.703037-7-kw@linux.com> (raw)
In-Reply-To: <20210603000112.703037-1-kw@linux.com>
When using ACPI to retrieve a device label from _DSM using the
dsm_get_label() function the result can be retrieved either as a string
value or a pointer to a buffer.
Should it be the latter, then an additional function called
dsm_label_utf16s_to_utf8s() will be invoked to convert any UTF16
characters to UTF8 so that the value could be safely stored and later
displayed through a relevant sysfs object.
Internally, dsm_label_utf16s_to_utf8s() calls the utf16s_to_utf8s()
function to handle the conversion setting the limit of the data that can
be saved into a provided buffer as a result of the character conversion
to be a total of PAGE_SIZE. The utf16s_to_utf8s() function returns an
integer value denoting the number of bytes that have been written into
the provided buffer.
Following the execution of the utf16s_to_utf8s() a newline character
will be added at the end of the resulting buffer so that when the value
is read in the userspace through the sysfs object then it would include
newline making it more accessible when working with the sysfs file
system in the shell, etc. Normally, this wouldn't be a problem, but if
the function utf16s_to_utf8s() happens to return the number of bytes
written to be precisely PAGE_SIZE, then we would overrun the buffer and
write the newline character outside the allotted space which can have
undefined consequences or result in a failure.
To fix this buffer overrun, ensure that there always is enough space
left for the newline character to be safely appended.
Fixes: 6058989bad05 ("PCI: Export ACPI _DSM provided firmware instance number and string name to sysfs")
Reported-by: Joe Perches <joe@perches.com>
Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
---
drivers/pci/pci-label.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pci/pci-label.c b/drivers/pci/pci-label.c
index 000e169c7197..0c6446519640 100644
--- a/drivers/pci/pci-label.c
+++ b/drivers/pci/pci-label.c
@@ -146,8 +146,8 @@ static int dsm_label_utf16s_to_utf8s(union acpi_object *obj, char *buf)
len = utf16s_to_utf8s((const wchar_t *)obj->buffer.pointer,
obj->buffer.length,
UTF16_LITTLE_ENDIAN,
- buf, PAGE_SIZE);
- buf[len] = '\n';
+ buf, PAGE_SIZE - 1);
+ buf[len++] = '\n';
return len;
}
--
2.31.1
next prev parent reply other threads:[~2021-06-03 0:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-03 0:01 [PATCH v6 0/6] PCI/sysfs: Use sysfs_emit() and sysfs_emit_at() in "show" functions Krzysztof Wilczyński
2021-06-03 0:01 ` [PATCH v6 1/6] " Krzysztof Wilczyński
2021-06-03 0:01 ` [PATCH v6 2/6] PCI/sysfs: Use return value from dsm_label_utf16s_to_utf8s() directly Krzysztof Wilczyński
2021-06-03 0:01 ` [PATCH v6 3/6] PCI/sysfs: Fix trailing newline handling of resource_alignment_param Krzysztof Wilczyński
2021-06-03 23:40 ` Bjorn Helgaas
2021-06-04 13:25 ` Krzysztof Wilczyński
2021-06-03 0:01 ` [PATCH v6 4/6] PCI/sysfs: Add missing trailing newline to devspec_show() Krzysztof Wilczyński
2021-06-03 23:00 ` Bjorn Helgaas
2021-06-03 0:01 ` [PATCH v6 5/6] PCI/sysfs: Only show value when driver_override is not NULL Krzysztof Wilczyński
2021-06-03 21:17 ` Bjorn Helgaas
2021-06-03 21:37 ` Bjorn Helgaas
2021-06-03 22:19 ` Krzysztof Wilczyński
2021-06-03 23:23 ` Bjorn Helgaas
2021-06-04 0:47 ` Alex Williamson
2021-06-04 1:10 ` Krzysztof Wilczyński
2021-06-03 0:01 ` Krzysztof Wilczyński [this message]
2021-06-04 4:07 ` [PATCH v6 0/6] PCI/sysfs: Use sysfs_emit() and sysfs_emit_at() in "show" functions Bjorn Helgaas
2021-06-04 13:38 ` Krzysztof Wilczyński
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210603000112.703037-7-kw@linux.com \
--to=kw@linux.com \
--cc=benh@kernel.crashing.org \
--cc=bhelgaas@google.com \
--cc=joe@perches.com \
--cc=kurt.schwemmer@microsemi.com \
--cc=linux-pci@vger.kernel.org \
--cc=logang@deltatee.com \
--cc=mpe@ellerman.id.au \
--cc=oohall@gmail.com \
--cc=paulus@samba.org \
--cc=ruscur@russell.cc \
--cc=tyreld@linux.ibm.com \
--cc=vidyas@nvidia.com \
--cc=wangxiongfeng2@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.