[{"id":3670794,"web_url":"http://patchwork.ozlabs.org/comment/3670794/","msgid":"<b23eb8ca-ef38-6288-0891-fe91148e11cd@gmx.de>","list_archive_url":null,"date":"2026-03-29T20:48:24","subject":"Re: [PATCH] staging: nvec: validate battery response length before\n memcpy","submitter":{"id":9663,"url":"http://patchwork.ozlabs.org/api/people/9663/","name":"Marc Dietrich","email":"marvin24@gmx.de"},"content":"Hello Sebastian,\n\nOn Tue, 24 Mar 2026, Sebastian Josue Alba Vives wrote:\n\n> In nvec_power_notifier(), the response length from the embedded\n> controller is used directly as the size argument to memcpy() when\n> copying battery manufacturer, model, and type strings. The\n> destination buffers (bat_manu, bat_model, bat_type) are fixed at 30\n> bytes, but res->length is a u8 that can be up to 255, allowing a\n> heap buffer overflow.\n>\n> Additionally, if res->length is less than 2, the subtraction\n> res->length - 2 wraps around as an unsigned value, resulting in a\n> large copy that corrupts kernel heap memory.\n>\n> Add bounds checks before each memcpy to ensure the copy length does\n> not exceed the destination buffer size, and that res->length is at\n> least 2 to prevent unsigned integer underflow.\n>\n> Cc: stable@vger.kernel.org\n> Signed-off-by: Sebastian Josue Alba Vives <sebasjosue84@gmail.com>\n> ---\n> drivers/staging/nvec/nvec_power.c | 6 ++++++\n> 1 file changed, 6 insertions(+)\n>\n> diff --git a/drivers/staging/nvec/nvec_power.c b/drivers/staging/nvec/nvec_power.c\n> index 2faab9fde..29beef0a7 100644\n> --- a/drivers/staging/nvec/nvec_power.c\n> +++ b/drivers/staging/nvec/nvec_power.c\n> @@ -193,14 +193,20 @@ static int nvec_power_bat_notifier(struct notifier_block *nb,\n> \t\tpower->bat_temperature = res->plu - 2732;\n> \t\tbreak;\n> \tcase MANUFACTURER:\n> +\t\tif (res->length < 2 || res->length - 2 > sizeof(power->bat_manu) - 1)\n> +\t\t\tbreak;\n\nI think this check is a valid one, even if unlikely to fail. Could be a\nbit nicer by replacing sizeof() with a contant and storing res->length-2 \nto some variable, but I guess that's a matter of taste.\n\nTested-by: Marc Dietrich <marvin24@gmx.de>\n\nThanks,\n\nMarc\n\n> \t\tmemcpy(power->bat_manu, &res->plc, res->length - 2);\n> \t\tpower->bat_manu[res->length - 2] = '\\0';\n> \t\tbreak;\n> \tcase MODEL:\n> +\t\tif (res->length < 2 || res->length - 2 > sizeof(power->bat_model) - 1)\n> +\t\t\tbreak;\n> \t\tmemcpy(power->bat_model, &res->plc, res->length - 2);\n> \t\tpower->bat_model[res->length - 2] = '\\0';\n> \t\tbreak;\n> \tcase TYPE:\n> +\t\tif (res->length < 2 || res->length - 2 > sizeof(power->bat_type) - 1)\n> +\t\t\tbreak;\n> \t\tmemcpy(power->bat_type, &res->plc, res->length - 2);\n> \t\tpower->bat_type[res->length - 2] = '\\0';\n> \t\t/*\n> -- \n> 2.43.0\n>\n>","headers":{"Return-Path":"\n <linux-tegra+bounces-13395-incoming=patchwork.ozlabs.org@vger.kernel.org>","X-Original-To":["incoming@patchwork.ozlabs.org","linux-tegra@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n secure) header.d=gmx.de header.i=marvin24@gmx.de header.a=rsa-sha256\n header.s=s31663417 header.b=aCFNwrY8;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=linux-tegra+bounces-13395-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=gmx.de header.i=marvin24@gmx.de\n header.b=\"aCFNwrY8\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=212.227.17.22","smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=gmx.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=gmx.de"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fkRLP66SLz1xrn\n\tfor <incoming@patchwork.ozlabs.org>; Mon, 30 Mar 2026 07:48:45 +1100 (AEDT)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 2CD40300D462\n\tfor <incoming@patchwork.ozlabs.org>; Sun, 29 Mar 2026 20:48:29 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0128B38758C;\n\tSun, 29 Mar 2026 20:48:29 +0000 (UTC)","from mout.gmx.net (mout.gmx.net [212.227.17.22])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id B49B12DEA61;\n\tSun, 29 Mar 2026 20:48:26 +0000 (UTC)","from client.hidden.invalid by mail.gmx.net (mrgmx104\n [212.227.17.168]) with ESMTPSA (Nemesis) id 1MVNB1-1vzdcd30tj-00IwUc; Sun, 29\n Mar 2026 22:48:24 +0200"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1774817308; cv=none;\n b=HrbvfxlmuZts9dEFPxa7Tazoy//FphNbWtX98yTp/V6hiRzCuk7Qw4dfXONg6Djxdtp1Fc0HuDVNXjeLV7v8yP7zOvoJwmoCLfbycQ37LQKj6zl+f3i0/61L0NuTRgs0nxM1tRRVFoQH6VZQn6JLIu8q1GbZUlQ83rdDbhQhg1I=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1774817308; c=relaxed/simple;\n\tbh=FRfIclqbGAMKvlimIjgixptcPvX/DfRkYbvjBjyjlr4=;\n\th=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References:\n\t MIME-Version:Content-Type;\n b=eYGtf9AdsRSGXmMwGR5QjAnWw2b0R69JGoIqWUyh6eBxvSYnDrhNbDgSme8h/4sAqFl60wPNJmQxAtddOZk8wtHnjhRd0uC7x4nrossvE+FIqiE1SeACfmXxhQXaa0TG3oICX0mBhfVlg2df29F2YHKnz+F/LN9wCtFW0KOrTzA=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=pass (p=quarantine dis=none) header.from=gmx.de;\n spf=pass smtp.mailfrom=gmx.de;\n dkim=pass (2048-bit key) header.d=gmx.de header.i=marvin24@gmx.de\n header.b=aCFNwrY8; arc=none smtp.client-ip=212.227.17.22","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.de;\n\ts=s31663417; t=1774817304; x=1775422104; i=marvin24@gmx.de;\n\tbh=OtNcuLB3T8KYnUkH14k7NMFCJItLMiwi7/E76QEkjKQ=;\n\th=X-UI-Sender-Class:Date:From:To:cc:Subject:In-Reply-To:Message-ID:\n\t References:MIME-Version:Content-Type:Content-Transfer-Encoding:cc:\n\t content-transfer-encoding:content-type:date:from:message-id:\n\t mime-version:reply-to:subject:to;\n\tb=aCFNwrY8LXCJ42ZkBOKcpimcPi9vyD0F28U1EXv0Q3VbQlvNqAuRSpBJi250USxz\n\t cv4diT6xM4sGN8UEK6LcyasvAYFuV6XEwSqUAE16mX58Li4wJeQswjhS+3mdkNUpS\n\t 2NPETT2LkfUTPlx5t604ErZdioGpIs3pFKjlphJntpMCIcjSz6grf+UZwfMpS5w2s\n\t DXZR4nZCfuqHZRMyHotG0HU0Ykk7FuWlUqdkXhTvmwB8i92RiCf/pCm9nRSQpCoE8\n\t giD0lXcZ8C8iw+4pQ99FYGThp9B/Z7dj39KoIu42AJOG0kyaZsT4u4hMk00/pAN7V\n\t krV8TCpXCjunmX/9Ow==","X-UI-Sender-Class":"724b4f7f-cbec-4199-ad4e-598c01a50d3a","Date":"Sun, 29 Mar 2026 22:48:24 +0200 (CEST)","From":"Marc Dietrich <marvin24@gmx.de>","To":"Sebastian Josue Alba Vives <sebasjosue84@gmail.com>","cc":"ac100@lists.launchpad.net, linux-tegra@vger.kernel.org,\n    linux-kernel@vger.kernel.org, stable@vger.kernel.org","Subject":"Re: [PATCH] staging: nvec: validate battery response length before\n memcpy","In-Reply-To":"<20260324195041.38343-1-sebasjosue84@gmail.com>","Message-ID":"<b23eb8ca-ef38-6288-0891-fe91148e11cd@gmx.de>","References":"<20260324195041.38343-1-sebasjosue84@gmail.com>","Precedence":"bulk","X-Mailing-List":"linux-tegra@vger.kernel.org","List-Id":"<linux-tegra.vger.kernel.org>","List-Subscribe":"<mailto:linux-tegra+subscribe@vger.kernel.org>","List-Unsubscribe":"<mailto:linux-tegra+unsubscribe@vger.kernel.org>","MIME-Version":"1.0","Content-Type":"text/plain; charset=US-ASCII; format=flowed","X-Provags-ID":"V03:K1:WKfW4+YMLfLZLHNi/WHZT3MAY3/XWAogRELxput+1HFw+zVNheI\n IJH23CedrMEOVA55G5uYM/Z167aD2oKIwwYupbc4pOYhzT5KyRLFsMDzImQXOwqekBQSkEk\n WKQhOBtmTxJdjxO6gABVqEgBkZemamQkZuBPE6ibMuAIfRse9uVxLt2YQ8Drr2kbA1IxqaV\n yU7ndsD598z5EdU+crayg==","X-Spam-Flag":"NO","UI-OutboundReport":"notjunk:1;M01:P0:TWBZMhMQbsw=;XJIWqFlxuCDgEbE/N3DufyuaTYF\n DsoIf+fBucB1rdwSI9NhiDwhPT8jhzMhQTQKTDceYAaf7gkHGKgDLb3cbZh8wBWBc7zvtu5yA\n NL4kDc7UuoYmmr8Kzc3VZj572zNaf+ABr3hSyHggD2CcL+cd6lJJjgDfbjgyCV1TrK/9TidrL\n ABD3aClTzmgeKEbFKmBxbh+jgikI4V1WM8rAfsyAjgE2OSpgwbJPaSLUBwSIHDQJhkEJDcw1p\n R6VSjM9RFTvrjUN/TYVdhjy1KzpQ+khg2BhPeasrrCZB1CBI5r+yzaFr4W1Wc1Z5n7thdbxok\n PHDvMtlknowttTPo6qfNsXnUyNZJhBAwwzSqc7yqtGSLAk7jPW473X3Tr0VpsIxLtMrRLR+Ea\n FB0K1OuVaXAwWZgozomHKsPXdiLfxj13tHH4oOFdwB8NCiZW2S/70b9jesrfH8VXxH4BLqZmn\n R374plhjLoZAPsp9QKdc8TnOQK5o8fKBZ9G87k03wb+R2mohdM+N12at+VhjNfRD+nPGRR0F4\n vgoj5JnExIZG1cs0vQIXNnDgcJ7cd3QicFyQ34Ih997dFUpIKURaEmsmU2HGkYOyqS5ashNmB\n HAE9taYWw1mdxedckplFJe10h22qSci22Aq+9IMqMaFSMETac5Zb7Qf7r7UGcGoe1RKpd0Gip\n I9nUWiUB70q6Sf1OB17nUtUgXOb3QgxYRgPuh9f3GNbAqcBV/KNMLuGPYetRudGuFouwj/rZY\n cuEIQvMd9194JGlImvDVC/bswVP3a2Mjo6ZcEtOGBJZo6e4ZjKv6IL3U+ehgUTH5sFD5drow4\n yQ1zwpEQOlL/gkRRAozyw6wWPfB+RJ4Sysb5TYE7CgOh4BeXwBncjiFbgcxR6k/QwsRHF+Yt+\n pwUET/gtD0KAdZYUHabC3hdBoj7W0bvDzaknHH79n+xCOo2iAPMn3vFG8hRL75bTG9fyd8Baf\n y65CKRcyJsDIrg5+S0rjAMXHOFHiawOPkbU6Ndr4BDQEmErKH6oTZT2RH4P0td1ab6GU+B6e6\n vaqGyBtA223Kv0wLWBhjUW895XuyrewRc7imBYsVXVEutgDMcHvqcZbhzBagTpeQHNe+N9h+E\n PnVVhlBCHj66O5wJhCm1biCbbD8RUNLjKsfR1aoPh/kFZRavd/VvAp2FajK2q6/LWY6T8N66L\n 3ZkOnovN2bEVSSXggyPZc/kb2FCOOjzIGynTmaGggzpb7eyl2ktzVVf661c6Zxiw+a/eDeQ/J\n 4eBZw2hOLX5WlS6EYwsm0uKpJxIjqZr/NO+sJKrIV9ShqInKE3iNHUno1f/fz9M38SZs/378R\n XwcJqR+E1Z6NjX5z8K/bP4SECOVhFSWAuiZO+OUCRWMS2Tc1Wr5S5YB+bVOrk9xupeTvcIEjL\n pc1dtLsopSge2PrEr4zfnZK+voT7GZHIIQ1qJEly78oc8YJybb0dQRlPONpxeNsnli5fiU+uj\n jt+VTtjNZbG17kqXzPzXfezImUOArbIIK2CNTBVdPZbaDHMl/uZX0pU5nod1CX0lRkbzX0uDX\n eRZPaUegIDrrK1JKzryheanUGtTlWJMn+ooNBSROUrMazjlAs20E1nN/fez7F6uQaCdIE8wPz\n neUIl5V/2IVIeNxwCQB6eIABiQvPBn9o/eJfRT2zr9QlMH8slhZP5mJeveporv8ZYaoiDobvg\n KvlmgoC6KpmErrfN2YI1GJIQvMwkAc6+S1hhYo+3yuE5nMtHPR9KLKNvkJICQldzfi3CHcYvj\n AJgAm+GIzpIQSOkSCxbNAxEn0jM0eZYHDlGXP6bxMzPUvzF4Bl0bP3d2B+Rc8lETCc0holnlB\n 9QIpBEbDZP3wPt0suEBkWAIFTcdlOZ047TvtyL4171PoyDhmSRLgxD8StxrsbvYJ7cuIgLm5N\n MuCshw8U3qwEt86mJ7KlgJZgDLEWdBEcsEUp3LSS/wamCIB0MSVWfK10+Lb6tPEf5mdK8SLOv\n ObvBoYhGoK6w4ubs77UW9xThvuKXRTIUVRhaxIGoKZ/s3garYPRLfB8nywg/MxyCrVmH7Sf4B\n IyAQHqjCMoN6ougItDFRfvKJ4R41f8LryB184GnWj2cCOVkGPEyLu2T6+aezJxI0Crcvj5h3D\n K0nkhcS+rUPsRSdbzvNZXC/rPDnwZdpYCNLHEXAZJVl5S7+/y+cxiuPuL1+XPwmz6rskjRw8B\n j4vmzkO0PQG8MXFSOXdsVPGHXtcOLo7M2wg46h401e+AnCyiYjJ7+TJZktwq8ixviOSgdNa+m\n DhWelxDTyXJqJU8vnm+7peiT+dWikmit3drtGvKTtusqB1eYNh0sE11kIfc9VMd9sK5w8p7dK\n swzabNdOc25iOeCu1lMgTzOLiZOpPaqfAVEgnaOudRBzND04xbTA1LMCpoXPrWc/51dwxR/UD\n JgbsHgQ31Ko7KBV22aYxkHprElzIiRDkaliZ5uts+9HY1cxWYCdZh0bfb5syAZpmyp2exelLR\n ULRR60BBA79rAm7kf1wfWLrw0f+Hwd7hZVzg9KHJ/AWdUXUFdmJFPfUwbcQfSMz6JorqH0z40\n +HTFS4Nof8SwoK/Re002zvF+Lxr6C7QokfPfOYqDKL1qfaBPmWbMmUxoTmMlAIPOIqNgXwLhV\n ywMlDLKxfcqYLI2gsjl7LcHx/VZ3xcI5yTtSv0omiGbAJ5oibGrQyBoCgQRap+Ogu4TSTKpGq\n Nh+MD/2KsCTZEmRzpLLxE7dqKCnqCG1ANBHrGEwTb3QA0VsOuusgCxQcd2Ac4IK80GjsMb0Fa\n H69nn58Phq1sP/nBiYrFdaJuz//p1qBfAbgpEN/vZZZzO454WFfttoZwtcFq1fD4u8NdhtENg\n yZRzXEvt8AQ8g0SCpQhj+XdisgxdZhqLZXuabWEv40MxSNLEE9eHOPUje6s0iO6fthmZCTFeh\n aZLNXu5V6CtG9l2iPlskeRA+L4tGiT/RrJyU77hlqMA4GhjPNxCL75pjUslP5dHL4icNvJEEw\n tikr676bRbzktPINpaLlOktpTMe+TeSjpTipHdMszQhnIHl1fxyHRkuZrqjre45lvG11BfOOg\n FEY+JQTrD8kRSBNy5WvI74WW/NDAx3RJakm5WQ3cDE5a7jF0i94QvCLdQOmHjesV9XSk+pV8y\n eu5rOTywjUY/PuEfE4gZVIuQB3M0uJ9Sh4I69A2PMinYsBiIP/KXDARDZUUZaL+tfpUgARU+J\n dkiI4jTPSQ4jY3RSmo12Q91C6GWuuc34GA1DxwaYA7LoQbTg4YP/WwoG0ohuEcV7KrKI9EG9E\n ny0M6l13KxmP9/M2uhWoj+xhi83SygDWXlxrJj3nlLHmTvL0birF40DVV6bawF6etSdwYLyBM\n uANjUI3O1C53evRM16Oz8dOOA2fkZOmgWk5JsiZjrL4DbAMek3FRXeFj9pJ+EV5Ilp3bPDs/H\n aqGjOdZwHcCYLovRKifIl+oaoeMI2YWDDZB+RjwzshWH5sXKv+6pFeAQyIP2jPzUKzspV7BJ+\n 1VrHYPA5LgiYT/i1kqWx9plsxJWvSmLwucslFWqGy2haqJJINIR1O8Kp48YI3980uMT1sNsPw\n h+4KRbcgSkTfMICthWg2ON6/YCi2u5VByuU09E7IFD2dvdxYe1OIrzoVKXV8J0m1Sf3K1sVNn\n cXRsjT+tw9xXHG6hVL3O9quBBl8RbLAqrGFpF+Xda+7HkbO+pNoOwZOs9cuZNfHazuQe0+vn7\n 7MWtDyLh/LawEa3Fq4QqFwU29e+9GzpCXgw3Ia6kcZ0urFlBmxlHZWhr2wmCYG8K3CoOsw7r0\n uk52jIRCKTohu+aYauyEU2enPTACwJsk19YtfYCkqbNRScRSbDIOp04TjcjUoVddog+FN9jJ7\n DlSnxnvhtZk192AN/xRDwXRprmT7Z5bAyzn4hJEvuMu6NN+DEzy/TRe34rLd1S+L2wLwLxBfJ\n VsZbaUaH+vqZ8dKeeGItT0SCJoO/G8G10NIKmyM+YrIyuaftAjR/ijOTQTN/+/TfwNUi0ZEwv\n mn1Ovp+h/Q6chFpXHSTv1lUj0Hr7QzZiCjQXFLPkrCAU+efT4blQYRp7+OEOJiWBu3ZdRMy3A\n PGw/CYOJ4dUoBFc5y4WJEQ6K2q7HvHyn89MaUwgTlTdP/B7/hKUSJeoxCyDUrLCc+kXQUiN7T\n bGXCwji71nUe5BWcPBALy41xpg9v9/AtYIk9+BZbM14SDAwfCXZQLNDFqk0gXsxa76zPLPhxh\n 0tVi32AhuJ83leLmhWr33SFj/f4MlS6luKbyTVeZqi/MM5B5YAeita509Ild+bltnqtjfiIk2\n pfiHoOtnvYFy/kmv1r9ZoLcS5hdnzG9ss2TzneaGLGiDKFK1dRzKN49FD6GdmAonhV5H/tthL\n cy9BhDVS64W0b85jnD1EGpSF1t2frySqabnlKGcQhhX1wQ2yKNpW5YR2+WGDXQ34YMw/JfEwD\n IvHDKx0NA9gKPJJrqN9Sj98DKnMKwHBOgHtL/kMT0xx4nYJ2dZhKXMTRUGBB7Kooa8UZxQN9y\n ZYU0i3MtRsqiR+cb/DGy4kVrKwee/SHGp5R3Bs0kkPTRYxIuxxbz7NdoJ7IzG/aAVdtc3vGTc\n 8zjzUycgMHmjiM8qS+/uHm1fvvrJbLSmwAxaRFCgiSS9rkj8wW+U0dV8RUh8eTkBi5coj35c+\n jpMN5AR4qQIqlHqycHaqkPXAdq79SqP++XOMHuUs6dF30cHMgukA2thNTOI2BXjfiu4Ma1mkw\n NLtx9vXaIbFRvhds90H0Sv/tDya+KYsIW4z86/ezo37GftMsspAfeijr5IqLtAMslI/q5z0iX\n YMJ6R3rIzJIf3no6Io8JTjPX2SNh1Agg6fbWqJYZ+e+owi1C7Nmm1WnT+LUivuKquSrY5GW6Z\n LWy+lqhSNQ0y7z604qsRugolw2JuauumitJP48o0mAkl920k5p5vT4vR1EWQ8MVkQrLmR2lAb\n IyQNDx2ejEr98m42UjvOdc6VJLS/+8kSvIjCKHgXzM1wfGnim3e9W42LZYbrbF054zmGdfknP\n nHl3dP9Dq9n4YBlwg0LRxMENo9Cypwi13x0Xo9hUmEgIx4B9CJaZGFhccbhljtpwUBrIz3it5\n 9IkxNLmoGOw9X0cq1DvUJf2AFLIepUnHIUGNdI9OTMzNE17Jj2cOeh2r+Vd81SMaf65uE3jp0\n MGgdEUPqMkT4gO0ThRkWczFHKMjYCJ6h26croSp0h9awijUDVpuVLRPkwIO4yI+uxxBF9RFo1\n NejCmDIZDkTrs6z7zKTYA0jKO1wbIe78/cCzuk/KMAzIaWPox3SnKqXMV1QA45/JyDkddGqFo\n YC+7qx639IUPZO0S69Yi2yaPAB2FihdDUTB/ZVhOIRRCvcd5FZzI5x3JYhXodH3tUTUmoDavb\n 6HyDvHPi8m6","Content-Transfer-Encoding":"quoted-printable"}}]