From patchwork Thu Aug 24 01:03:52 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bjorn Andersson X-Patchwork-Id: 110863 Delivered-To: patch@linaro.org Received: by 10.140.95.78 with SMTP id h72csp4923796qge; Wed, 23 Aug 2017 18:03:58 -0700 (PDT) X-Received: by 10.98.64.134 with SMTP id f6mr4811898pfd.178.1503536638836; Wed, 23 Aug 2017 18:03:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503536638; cv=none; d=google.com; s=arc-20160816; b=Xy1UsU8rRiUWm1sgzoXLUGlNQnWmfzEx+Q0W1ymwV10m2Fwa1LPTR1yn6d/2n/e4v/ qQfL/GqMY9tCnK4fJ/5FWzrBkVidlx5kAivsJ/jfvik4qBtsnhDGM5mNNyzZ4k+r+u3B dHP43SBlDKH6gef37sjPxKQyKmEAE07sZS67ZOBq1sC2QySQgfsmPbSnE/mgxpKuNPt4 Je+4p0Jb5ds0erGssM1AMKcYJ43Q0iyleLfXkkuq2wXkeFyArU3uQOSDBT6ZQBQXKrY9 ysNtkYK1xPGoEOEvHfBVObaHUy48+mQ49/jSoeqsQRfmtONjs8WXFRFRXCSz9oi+XG8h oRAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=RbDKcXRMtn9A1Z8DYBip8nodQ+A2bA02MRUaEIXJlpY=; b=C2HDFAgPocNgtONiA7Az1TrYSNJ1n3LbGRIDfmttLlYDjU1aI09ucnSEh//YJsKUTO m71E6A+7OiYbKD5KteFKNLwmC4eZywkM1Cggpc560RFpRXMtYAP8+0JlzNrJHIuOzdAM IQisd8DyvEBKNIjN3yDJhst6wrLq1ErM9TnDSSgZ4ZQDjxMk6TxeFQlYXijDJEQ/uJ11 /6BWc9oe2pp6Luf0Ma/DfAj71ba0rFOk5JBmDl86fxLWtR1ya5aKx9zBmveiZ88UNJ2Z iq1Vg0Sc77oV0fs6fzR9r5NHoU8TlcNGjqwWc22D1mT52mpY9WdPN3arbzafXCQ8Srv0 L1mQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=MtH4lGqt; spf=pass (google.com: best guess record for domain of devicetree-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=devicetree-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o64si1861220pfk.249.2017.08.23.18.03.58; Wed, 23 Aug 2017 18:03:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of devicetree-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org header.s=google header.b=MtH4lGqt; spf=pass (google.com: best guess record for domain of devicetree-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=devicetree-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751019AbdHXBD5 (ORCPT + 6 others); Wed, 23 Aug 2017 21:03:57 -0400 Received: from mail-pg0-f42.google.com ([74.125.83.42]:36791 "EHLO mail-pg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750715AbdHXBD4 (ORCPT ); Wed, 23 Aug 2017 21:03:56 -0400 Received: by mail-pg0-f42.google.com with SMTP id 83so8043511pgb.3 for ; Wed, 23 Aug 2017 18:03:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=GklsOnjDhpCBdW+J0+bTi345kk1e33B+NIlnYgLdWEg=; b=MtH4lGqtIaeY85MDe6B1Xz55V30IwozjVLLVGoqn3j71y2QcAqYLyBCCPWgIzF7YZR oO43VTClgJ0vDtIGyWBvArKxMEwB0Xfm/Xx1aPIRiXIPCSYCS0IwgBVcKjYt3cPyF4n2 1TvJ0uJ4khKfJpvpZzPEZhPrHK87b5BaLvo1Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=GklsOnjDhpCBdW+J0+bTi345kk1e33B+NIlnYgLdWEg=; b=VXQ0HopoN6eQoySSUi6Lxdt4qd1ybDav52tQ9W5RPAWW+S1Mu9Tou3f+zofVxpPk6D 40mwDUDzVRFK4/Rt7JB9zZQjePWspQcUisnLxwTrBjjscOg4QbBP19JkU/Ncswc9MiUS JAZmOL+hqjqTSoENSY1D9EpC+wpSG71sGwNtH09pUcHoV1RNAb1Dls1HZncXIaljo77E tqZeAqkHNo3drc3mNEf6jS+sCFw/w4lNQ6uYUJcq8GJhR/eh8kIdSPIaPKIN3jyVhdFa 9s4VzqHU1zJQfXVySNGSTSmk3Y7S48yl68Lu85nhxfISJPWdwRYfuRBr4f9BCgo2e/cw DWCA== X-Gm-Message-State: AHYfb5gLG7hpfqWHbDsZLyskDAwVjPvNuJ5cFSFxfWNlLx1y2PKW4tFV O9L/qnqaETdtxKpA X-Received: by 10.99.142.74 with SMTP id k71mr4548080pge.86.1503536635991; Wed, 23 Aug 2017 18:03:55 -0700 (PDT) Received: from localhost.localdomain (ip68-111-217-79.sd.sd.cox.net. [68.111.217.79]) by smtp.gmail.com with ESMTPSA id k72sm4312842pfh.132.2017.08.23.18.03.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Aug 2017 18:03:55 -0700 (PDT) From: Bjorn Andersson To: Rob Herring , Frank Rowand Cc: devicetree@vger.kernel.org, linux-kernel@vger.kernel.org, Rob Herring Subject: [PATCH] of/device: Fix of_device_get_modalias() buffer handling Date: Wed, 23 Aug 2017 18:03:52 -0700 Message-Id: <20170824010352.9085-1-bjorn.andersson@linaro.org> X-Mailer: git-send-email 2.12.0 Sender: devicetree-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: devicetree@vger.kernel.org of_device_request_module() calls of_device_get_modalias() with "len" 0, to calculate the size of the buffer needed to store the result, but due to integer promotion the ssize_t "len" will be compared as unsigned with strlen(compat) and the loop will generally never break. This results in a call to snprintf() with a negative len, which triggers below warning, followed by a dereference of a invalid pointer: [ 3.060067] WARNING: CPU: 0 PID: 51 at lib/vsprintf.c:2122 vsnprintf+0x348/0x6d8 ... [ 3.060301] [] vsnprintf+0x348/0x6d8 [ 3.060308] [] snprintf+0x48/0x50 [ 3.060316] [] of_device_get_modalias+0x108/0x160 [ 3.060322] [] of_device_request_module+0x20/0x88 ... Further more of_device_get_modalias() is supposed to return the number of bytes needed to store the entire modalias, so the loop needs to continue accumulate the total size even though the buffer is full. Finally the function is not expected to ensure space for the NUL, nor include it in the returned size, so only 1 should be added to the length of "compat" in the loop (to account for the character 'C'). Fixes: bc575064d688 ("of/device: use of_property_for_each_string to parse compatible strings") Cc: Rob Herring Signed-off-by: Bjorn Andersson --- drivers/of/device.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) -- 2.12.0 -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/of/device.c b/drivers/of/device.c index 6f33a0e0d351..7cff599a9c6a 100644 --- a/drivers/of/device.c +++ b/drivers/of/device.c @@ -195,10 +195,11 @@ EXPORT_SYMBOL(of_device_get_match_data); static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len) { - const char *compat, *start = str; + const char *compat; char *c; struct property *p; ssize_t csize; + ssize_t tsize; if ((!dev) || (!dev->of_node)) return -ENODEV; @@ -206,12 +207,16 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len /* Name & Type */ csize = snprintf(str, len, "of:N%sT%s", dev->of_node->name, dev->of_node->type); + tsize = csize; len -= csize; - str += csize; + if (str) + str += csize; of_property_for_each_string(dev->of_node, "compatible", p, compat) { - if (strlen(compat) + 2 > len) - break; + csize = strlen(compat) + 1; + tsize += csize; + if (csize > len) + continue; csize = snprintf(str, len, "C%s", compat); for (c = str; c; ) { @@ -223,7 +228,7 @@ static ssize_t of_device_get_modalias(struct device *dev, char *str, ssize_t len str += csize; } - return str - start; + return tsize; } int of_device_request_module(struct device *dev)