From patchwork Sun Jan 29 18:23:08 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Christophe JAILLET X-Patchwork-Id: 50032 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp1848301wrn; Sun, 29 Jan 2023 10:44:20 -0800 (PST) X-Google-Smtp-Source: AK7set9Rbohga+G7b+7FQi0BQ+YHHJz1ylAFthrVMtz0U3fYuCLiiH8QowkYvperjnd02uy3vXfC X-Received: by 2002:a17:902:e546:b0:196:4814:2a2d with SMTP id n6-20020a170902e54600b0019648142a2dmr5717601plf.39.1675017859747; Sun, 29 Jan 2023 10:44:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1675017859; cv=none; d=google.com; s=arc-20160816; b=VVGyEkMNzUTDTNYIPLhYd2UXZuafz+J736BPyzunosAhfvrqc3/vgnQlu47UQn7D3I MvP57afxND546y/Az3+tz5eAIpYP9sbAhUFrMVyOOpiqW0ixcsjgVESdMcpiRyep/EPW suYhVVBMcULTmCeyZPf3Ui60cSLN2KHoZX8T9wlpQBOg1cx5KGWRouxsQCGMBp9enOAQ xUTDpAYGJjdo6gbCwTp3l5xzaVOZUcQMcWJshHIwxzYYk39dvPUezNvjmf799tbT4Epn ZakHZrYrevJtu6Vl9sZx/xazUfSdhKFjjYUlnG8bwv+5r2hQwCqIK7fElXaaEFCfJVwU LISg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=6YbFBpcBq30kgPaFjgWen5xBakteS5ohPQw3PDSNSpA=; b=Z/CS5mbhC64OUlSzeH/kB6mSURcQVD4ZParRMppka56wRsI5yG1BdpHXK+wR4P6uL6 DYaU5sH48aG6nzTvHTVdr0Og9ouHwqcElMoZQeqg4GggMrbDXdnyQkNeiPaqpnunIJG/ U7D+lS1gnoHrYss68Czgcl/b+FsQ3OTv0XRvj8IJ7YXW78zsexNlQtJuUg6tXia0FUuu Pbt80LLexSNE+Csm1YuBRjzXyg8ul/tCr/hL9NGNtrT6ooYLF7bFzbAupNbtUlqZJjJn GE52gyPElQBZ0rr56Mt4WfawFivzTmz69lEy2ttO02q94KPxmW0gBBwWJmlogTHvSKVr yZww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c1-20020a170902f30100b00193f8c6a020si10126264ple.111.2023.01.29.10.44.07; Sun, 29 Jan 2023 10:44:19 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235277AbjA2SXa (ORCPT + 99 others); Sun, 29 Jan 2023 13:23:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41048 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235154AbjA2SX2 (ORCPT ); Sun, 29 Jan 2023 13:23:28 -0500 Received: from smtp.smtpout.orange.fr (smtp-12.smtpout.orange.fr [80.12.242.12]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2141F1BAEC for ; Sun, 29 Jan 2023 10:23:27 -0800 (PST) Received: from pop-os.home ([86.243.2.178]) by smtp.orange.fr with ESMTPA id MCKlpGwDQMaRbMCKmpnji1; Sun, 29 Jan 2023 19:23:25 +0100 X-ME-Helo: pop-os.home X-ME-Auth: Y2hyaXN0b3BoZS5qYWlsbGV0QHdhbmFkb28uZnI= X-ME-Date: Sun, 29 Jan 2023 19:23:25 +0100 X-ME-IP: 86.243.2.178 From: Christophe JAILLET To: gregkh@linuxfoundation.org, peterz@infradead.org, pmladek@suse.com, john.ogness@linutronix.de, baolu.lu@linux.intel.com, tglx@linutronix.de, mingo@kernel.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, kernel-janitors@vger.kernel.org, Christophe JAILLET Subject: [PATCH 1/3] usb: early: xhci-dbc: Fix a potential out-of-bound memory access Date: Sun, 29 Jan 2023 19:23:08 +0100 Message-Id: X-Mailer: git-send-email 2.34.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1756383527595496413?= X-GMAIL-MSGID: =?utf-8?q?1756383527595496413?= If xdbc_bulk_write() fails, the values in 'buf' can be anything. So the string is not guaranteed to be NULL terminated when xdbc_trace() is called. Reserve an extra byte, which will be zeroed automatically because 'buf' is a static variable, in order to avoid troubles, should it happen. Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability") Signed-off-by: Christophe JAILLET --- drivers/usb/early/xhci-dbc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c index 797047154820..f3e23be227d4 100644 --- a/drivers/usb/early/xhci-dbc.c +++ b/drivers/usb/early/xhci-dbc.c @@ -874,7 +874,8 @@ static int xdbc_bulk_write(const char *bytes, int size) static void early_xdbc_write(struct console *con, const char *str, u32 n) { - static char buf[XDBC_MAX_PACKET]; + /* static variables are zeroed, so buf is always NULL terminated */ + static char buf[XDBC_MAX_PACKET + 1]; int chunk, ret; int use_cr = 0;