From patchwork Tue Oct 24 18:30:14 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Christian Marangi <ansuelsmth@gmail.com>
X-Patchwork-Id: 157661
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:ce89:0:b0:403:3b70:6f57 with SMTP id p9csp2130656vqx;
        Tue, 24 Oct 2023 11:30:49 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEsEPBEewIm3uckleoU0bO7QnRHmGSaKewaMX/zdpeiB0OTI2ohF3R2AVmA07apRFssT3YN
X-Received: by 2002:a17:90b:3c4f:b0:274:99e7:217e with SMTP id
 pm15-20020a17090b3c4f00b0027499e7217emr10480438pjb.16.1698172249102;
        Tue, 24 Oct 2023 11:30:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698172249; cv=none;
        d=google.com; s=arc-20160816;
        b=UFXgoYKSoz0NgMU5m7TEuMR+mu0VNEhjc5vgiDdn3ZRriUAj3hoIZTReJrgC6yy8L0
         10GwyQyBt82NC0jvZF5GHWa/UqFyvsGsQnnkh4agc+v09pzUXNLhZQ4b2Q7W4M0m35Hj
         vsEsH5CBHLVDEAybXLurlPW5B9jCfkI7S1lHrJDSV2qDKynb37rYY5Ha7CYmveCTTVBH
         sl7VpOFBMbQizLGIlI7qZOuvpsQR+yWM9j36H+ajslnWEvoE0MAYCqyzbIivAq+T6DdV
         8FgcjKBJjpIVshNtgg538jwfOwrnN3m5joGt46FI082IvrJYYKH29kLQMrsCevrLlGxO
         XIiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=4S6ZmkT9NoJ2QB74d4iDZQ/Asjhb+835EobMM6vz70A=;
        fh=xs/srTgQStfWbJvKDKG7pFcXPJ9WZzf/+rm5Ux7VvUE=;
        b=W4ZpacPRu5jclJbn8WC7TmWjttnkExIuFTl18ktzljWr9Qun6UM7axjqiY4vexlwMZ
         Lgbmc0b5G59FJw00OdS5H9ud+FsrrGNzpdpH7HkDB8KmLDgh9wnx9GCXjpf7gGwO8PTr
         8Le/TZwJNXJm6ZDpJrGluJLWHtDF1iiW1ho5io7Cis+JZOl6jkS0Sp7r08QIHjcULHO0
         GZQJXqFU8bHssdxoXVcs4yfuyfm6BetORWCtsv8/OPV6KN4lbHdbPB4nxAhX4LIfHP94
         moWoynhUrEued4P9tJ9C7Kkx6nPZ27U8yy19xi7pUQh75fWEw2gUrXy7DuGsSnHPiOIS
         Xcrw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=QPCBdl11;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.34 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from howler.vger.email (howler.vger.email. [23.128.96.34])
        by mx.google.com with ESMTPS id
 ob16-20020a17090b391000b00267ba1c43adsi8918661pjb.101.2023.10.24.11.30.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 24 Oct 2023 11:30:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=QPCBdl11;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 23.128.96.34 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id 9B23880B64EA;
	Tue, 24 Oct 2023 11:30:43 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1344130AbjJXSac (ORCPT <rfc822;aposhian.dev@gmail.com>
        + 27 others); Tue, 24 Oct 2023 14:30:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59188 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1343920AbjJXSaa (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Oct 2023 14:30:30 -0400
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com
 [IPv6:2a00:1450:4864:20::330])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8F54DA2;
        Tue, 24 Oct 2023 11:30:27 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id
 5b1f17b1804b1-4083cd39188so37585715e9.2;
        Tue, 24 Oct 2023 11:30:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1698172226; x=1698777026;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=4S6ZmkT9NoJ2QB74d4iDZQ/Asjhb+835EobMM6vz70A=;
        b=QPCBdl11SlbpzpmmftlPSL69VU0cmNloW7kSM3T6jFrpYmEp9vnu2ptME2aLMZXrCz
         AK5aemFJnK8G/OQ5elxjpmkC5kZnfP9+vnWkyewHtZtZJmuiGYqhL+KjQVOQbo/9ISjt
         QKw20JI2p9pP/hXFm/xiFV8giKUKWDAzVSQmmz+z9daGGddzEdl3+Je1IWojYB7901/L
         4y5ReO78vtKDGsIw1ZLnzHveWgq9NLFfcsyQYoyxgoGvtJutPaN2H9DDUFgp4jsWRKQC
         FsOGiwAl3l3fTuR41NZp4tj1pdCteswdugX5vSfIcGRyrWeidR3OtkanBb0LylBEM0MN
         AFSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1698172226; x=1698777026;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=4S6ZmkT9NoJ2QB74d4iDZQ/Asjhb+835EobMM6vz70A=;
        b=uF45ZYCEOQdBy40y8oCtFnIKS8mzBS8429m4B+AR6I58c06MnfELRVnj/jF6U5+hwE
         JOmyhA9zMB7DcGZbR1q6r3gfETT3H1/zcTDnZmBLbNNv31ZmI61S1b4jG71M2r1bLePf
         TUdJqwUHcBbaPlZHz/ikWjwp3+TUlUvAIfyNGcAdXh46Ode0PGEpyjm7rpAGuXzreO12
         7RiM4WVFkQOe6liBWQAoN45+cEqJpIXKCmJgLujOfE366Elme5vsO/8lUF87vnr05G9O
         kiFPKlSiTblSQmIV8pAmqJVYAmjweWw6nr1Qb5TIIJrMutjhuRly6vilnI3Enzypqq1j
         z4VQ==
X-Gm-Message-State: AOJu0Yw0Cz5fNOi3+Be8JjeHFcuz6BnKQkoFq0JMiwdhLayvAQPmcI/k
        LLmBTvibyrDY4GRA+fsUZR8=
X-Received: by 2002:a05:600c:3585:b0:406:177e:5de8 with SMTP id
 p5-20020a05600c358500b00406177e5de8mr10655780wmq.35.1698172225667;
        Tue, 24 Oct 2023 11:30:25 -0700 (PDT)
Received: from localhost.localdomain (93-34-89-13.ip49.fastwebnet.it.
 [93.34.89.13])
        by smtp.googlemail.com with ESMTPSA id
 l22-20020a05600c4f1600b003fef5e76f2csm1150398wmq.0.2023.10.24.11.30.24
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 24 Oct 2023 11:30:25 -0700 (PDT)
From: Christian Marangi <ansuelsmth@gmail.com>
To: "Rafael J. Wysocki" <rafael@kernel.org>,
        Viresh Kumar <viresh.kumar@linaro.org>,
        MyungJoo Ham <myungjoo.ham@samsung.com>,
        Kyungmin Park <kyungmin.park@samsung.com>,
        Chanwoo Choi <cw00.choi@samsung.com>,
        Christian Marangi <ansuelsmth@gmail.com>,
        Takashi Iwai <tiwai@suse.de>,
        Jonghwa Lee <jonghwa3.lee@samsung.com>,
        linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org
Cc: stable@vger.kernel.org
Subject: [PATCH 1/3] cpufreq: fix broken buffer overflow detection in
 trans_stats
Date: Tue, 24 Oct 2023 20:30:14 +0200
Message-Id: <20231024183016.14648-1-ansuelsmth@gmail.com>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
 not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]);
 Tue, 24 Oct 2023 11:30:43 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1780662663742503041
X-GMAIL-MSGID: 1780662663742503041

Commit 3c0897c180c6 ("cpufreq: Use scnprintf() for avoiding potential
buffer overflow") switched from snprintf to the more secure scnprintf
but never updated the exit condition for PAGE_SIZE.

As the commit say and as scnprintf document, what scnprintf returns what
is actually written not counting the '\0' end char. This results in the
case of len exceeding the size, len set to PAGE_SIZE - 1, as it can be
written at max PAGESIZE - 1 (as '\0' is not counted)

Because of len is never set to PAGE_SIZE, the function never break early,
never print the warning and never return -EFBIG.

Fix this by fixing the condition to PAGE_SIZE -1 to correctly trigger
the error condition.

Cc: stable@vger.kernel.org
Fixes: 3c0897c180c6 ("cpufreq: Use scnprintf() for avoiding potential buffer overflow")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
---
 drivers/cpufreq/cpufreq_stats.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c
index a33df3c66c88..40a9ff18da06 100644
--- a/drivers/cpufreq/cpufreq_stats.c
+++ b/drivers/cpufreq/cpufreq_stats.c
@@ -131,23 +131,23 @@ static ssize_t show_trans_table(struct cpufreq_policy *policy, char *buf)
 	len += sysfs_emit_at(buf, len, "   From  :    To\n");
 	len += sysfs_emit_at(buf, len, "         : ");
 	for (i = 0; i < stats->state_num; i++) {
-		if (len >= PAGE_SIZE)
+		if (len >= PAGE_SIZE - 1)
 			break;
 		len += sysfs_emit_at(buf, len, "%9u ", stats->freq_table[i]);
 	}
-	if (len >= PAGE_SIZE)
-		return PAGE_SIZE;
+	if (len >= PAGE_SIZE - 1)
+		return PAGE_SIZE - 1;
 
 	len += sysfs_emit_at(buf, len, "\n");
 
 	for (i = 0; i < stats->state_num; i++) {
-		if (len >= PAGE_SIZE)
+		if (len >= PAGE_SIZE - 1)
 			break;
 
 		len += sysfs_emit_at(buf, len, "%9u: ", stats->freq_table[i]);
 
 		for (j = 0; j < stats->state_num; j++) {
-			if (len >= PAGE_SIZE)
+			if (len >= PAGE_SIZE - 1)
 				break;
 
 			if (pending)
@@ -157,12 +157,12 @@ static ssize_t show_trans_table(struct cpufreq_policy *policy, char *buf)
 
 			len += sysfs_emit_at(buf, len, "%9u ", count);
 		}
-		if (len >= PAGE_SIZE)
+		if (len >= PAGE_SIZE - 1)
 			break;
 		len += sysfs_emit_at(buf, len, "\n");
 	}
 
-	if (len >= PAGE_SIZE) {
+	if (len >= PAGE_SIZE - 1) {
 		pr_warn_once("cpufreq transition table exceeds PAGE_SIZE. Disabling\n");
 		return -EFBIG;
 	}