{"id":812241,"url":"http://patchwork.ozlabs.org/api/patches/812241/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/patch/20170911074542.16777-4-nstange@suse.de/","project":{"id":28,"url":"http://patchwork.ozlabs.org/api/projects/28/?format=json","name":"Linux PCI development","link_name":"linux-pci","list_id":"linux-pci.vger.kernel.org","list_email":"linux-pci@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20170911074542.16777-4-nstange@suse.de>","list_archive_url":null,"date":"2017-09-11T07:45:42","name":"[3/3] driver core: platform: Don't read past the end of \"driver_override\" buffer","commit_ref":null,"pull_url":null,"state":"not-applicable","archived":false,"hash":"549558267cdf081a48745847eb8fc1ee8b63480d","submitter":{"id":72345,"url":"http://patchwork.ozlabs.org/api/people/72345/?format=json","name":"Nicolai Stange","email":"nstange@suse.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/linux-pci/patch/20170911074542.16777-4-nstange@suse.de/mbox/","series":[{"id":2449,"url":"http://patchwork.ozlabs.org/api/series/2449/?format=json","web_url":"http://patchwork.ozlabs.org/project/linux-pci/list/?series=2449","date":"2017-09-11T07:45:39","name":"make PCI's and platform's driver_override_store()/show() converge","version":1,"mbox":"http://patchwork.ozlabs.org/series/2449/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/812241/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/812241/checks/","tags":{},"related":[],"headers":{"Return-Path":"<linux-pci-owner@vger.kernel.org>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@bilbo.ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=linux-pci-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xrKk10cR0z9s7M\n\tfor <incoming@patchwork.ozlabs.org>;\n\tMon, 11 Sep 2017 17:46:17 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751179AbdIKHpw (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);\n\tMon, 11 Sep 2017 03:45:52 -0400","from mx2.suse.de ([195.135.220.15]:47701 \"EHLO mx1.suse.de\"\n\trhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP\n\tid S1751089AbdIKHpv (ORCPT <rfc822;linux-pci@vger.kernel.org>);\n\tMon, 11 Sep 2017 03:45:51 -0400","from relay1.suse.de (charybdis-ext.suse.de [195.135.220.254])\n\tby mx1.suse.de (Postfix) with ESMTP id B294FABBC;\n\tMon, 11 Sep 2017 07:45:49 +0000 (UTC)"],"X-Virus-Scanned":"by amavisd-new at test-mx.suse.de","From":"Nicolai Stange <nstange@suse.de>","To":"Bjorn Helgaas <bhelgaas@google.com>,\n\tGreg Kroah-Hartman <gregkh@linuxfoundation.org>","Cc":"Adrian Salido <salidoa@google.com>, Sasha Levin <sasha.levin@oracle.com>,\n\tlinux-kernel@vger.kernel.org, linux-pci@vger.kernel.org,\n\tNicolai Stange <nstange@suse.de>","Subject":"[PATCH 3/3] driver core: platform: Don't read past the end of\n\t\"driver_override\" buffer","Date":"Mon, 11 Sep 2017 09:45:42 +0200","Message-Id":"<20170911074542.16777-4-nstange@suse.de>","X-Mailer":"git-send-email 2.13.5","In-Reply-To":"<20170911074542.16777-1-nstange@suse.de>","References":"<20170911074542.16777-1-nstange@suse.de>","Sender":"linux-pci-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<linux-pci.vger.kernel.org>","X-Mailing-List":"linux-pci@vger.kernel.org"},"content":"When printing the driver_override parameter when it is 4095 and 4094 bytes\nlong, the printing code would access invalid memory because we need count+1\nbytes for printing.\n\nReject driver_override values of these lengths in driver_override_store().\n\nThis is in close analogy to commit 4efe874aace5 (\"PCI: Don't read past the\nend of sysfs \"driver_override\" buffer\") from Sasha Levin.\n\nFixes: 3d713e0e382e (\"driver core: platform: add device binding path 'driver_override'\")\nCc: stable@vger.kernel.org\t# v3.17+\nSigned-off-by: Nicolai Stange <nstange@suse.de>\n---\n drivers/base/platform.c | 3 ++-\n 1 file changed, 2 insertions(+), 1 deletion(-)","diff":"diff --git a/drivers/base/platform.c b/drivers/base/platform.c\nindex d1bd99271066..9045c5f3734e 100644\n--- a/drivers/base/platform.c\n+++ b/drivers/base/platform.c\n@@ -868,7 +868,8 @@ static ssize_t driver_override_store(struct device *dev,\n \tstruct platform_device *pdev = to_platform_device(dev);\n \tchar *driver_override, *old, *cp;\n \n-\tif (count > PATH_MAX)\n+\t/* We need to keep extra room for a newline */\n+\tif (count >= (PAGE_SIZE - 1))\n \t\treturn -EINVAL;\n \n \tdriver_override = kstrndup(buf, count, GFP_KERNEL);\n","prefixes":["3/3"]}