From patchwork Thu Jan 19 14:21:14 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Wolf X-Patchwork-Id: 13108121 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 37567C004D4 for ; Thu, 19 Jan 2023 14:21:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230293AbjASOVb (ORCPT ); Thu, 19 Jan 2023 09:21:31 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44506 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230328AbjASOV3 (ORCPT ); Thu, 19 Jan 2023 09:21:29 -0500 Received: from mout.gmx.net (mout.gmx.net [212.227.17.21]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 50CF0402DC; Thu, 19 Jan 2023 06:21:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1674138082; bh=z+fQzZKHzfUH7NF/TUveCeidpfldeQForUuhTzrvsYk=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=CkjqS1nNHJjYaFwYSyXVLW+TPmEckCs8YKHS7oUwWpSzDNBtOikU76bAC+MvklKYD xbjOp6SE2333DyQ+lFh1NqwvI9BOmn5HsZwuOf/SJOtzNd3/Q8givTZYvdo1liio1D k5P6lwhLEc5rk4JmxektSrTR0852RL4EFIt3VevVOmPbs5s0/BK+uVyHtXfo/cuDIY iQ3nSSLYMz2yrZyJXc6CVtm9rNeOgcjhcZDvXTIljUm+eGBFmUqeStdwrwfLw1ktnX y6eBbnqjckR6bTaVLIXTRE4tytQb84ie4yJ9fUO8wjmpKtcFj8NI7q1BnXG6R+ixq2 HRZVSlJQnOS+w== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from esprimo-mx.users.agdsn.de ([141.30.226.129]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N0oBx-1oWzgN1RED-00wmb0; Thu, 19 Jan 2023 15:21:22 +0100 From: Armin Wolf To: rafael@kernel.org, lenb@kernel.org Cc: linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 1/2] ACPI: battery: Fix buffer overread if not NUL-terminated Date: Thu, 19 Jan 2023 15:21:14 +0100 Message-Id: <20230119142115.38260-2-W_Armin@gmx.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230119142115.38260-1-W_Armin@gmx.de> References: <20230119142115.38260-1-W_Armin@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:dVU26JDgfTRY3TOQ06V2r83qaP9yA8G+jIxMPfP/xcgPS8mluVb LXOHmVWLGVDLEYeh4C76vXsl9e5uPRM3yQevfZ8EpzZeSa+VipnvIFR+vCmZo+ENZc/tCm+ Z4Nh4QH/gJSnvTqGTS7qGMukZ/4QMYzUGymeCkigC/CDW1CyNUvwc6vohZ4/UjXIHITbViD OCSDthmX88J3lj6+ajYww== UI-OutboundReport: notjunk:1;M01:P0:MY/5IUDF2LA=;IdqnLHL+AaMS4mgs+AscZnqUEIk hPMZQ9DamDtoQp6RJif8mimOOx56n+LhIUtgvNx5w/N2jvVKex8FLoIzjUsBIOowusLNwk6Fy M3jA+wOTODfzvS9jUeFkZfekPdmZCvToflJnSF1AHlM4e1jSU0c0zooDdoUDkRjIvTSZYrw/a PUS1fdEypxEfFWhYj/ggNI8ZT7gjbcg0zXa5sW0k0EdBZFd0qiSzag+DpzXJpOX7xeQWJczxn OpTt3ASt/rqQbrlLwqnN+FV/GO1oo3e+fEPP4zoFe+qtnoP9BsnnDWV14NTijVATUNbSTOk2x Yp+Zy826sxc06seXJd6ctUXmoEgyFSBmpzz3wNyckw70jdJPbohEx9P8Gx9+w6VIk920iuckH BFQGPiHnGZ9mI8YMEeHOTTsdPd/v6cqhvxxxUzY6AduipyHn2o2obQ5XoniZUqsNMX6cqPdGT 1YlD7DIqt3IuFiXWp5CPkJhsBSthR2Fui7y8lpdcQ6hm5ZjFgiW/py9kRFVV1HCgXkHwtbKOJ clS8DRytzeRmU6hJNr/UjqgrDGo6VeWatirWszBxcCn8K1LAUmI7I/riFMYwHpX7LpTv0CeJt cr9ZOh77MzbXF5rFGi3BJRz1C9WcuXC1drD8kbniW8Inj19Xo0qEMwLX4Cua4mZAbhlFgg4hE pdK9SZCNPploDHsHuS7AJjEw0vFtuaMMXLu2ikWbbv/r0JHBceNIz0Po+/VZ7m5P2zI0kIlsb nnnrIZ4/SXTusPclwPjgt/s24qt8rlRQet9QV6y37VlIgMy+fbM6kPEMaABq5KqmOkDtVeukr O0gXvgo/sXXMwmB9dPFg8knJrQXlH4e7uFUjX7GKOmHXTsPQp73ADjavVvTlOIUF5kYlYn7JU wZducAU6ALkyuL1TFbuI2J9Jp2XSwwFvHoxbf1uHm5qbX2gqbzfCM7Fhsml2yemb6Mw2mur0v K5kMlPxbPP2hwMDjRHn7SyO3pZA= Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org If a buffer containing ASCII characters is not NUL-terminated (which is perfectly legal according to the ACPI specification), the ACPI battery driver might not honor its length. Fix this by limiting the amount of data to be copied to the buffer length while also using strscpy() to make sure that the resulting string is always NUL-terminated. Also replace strncpy() vs strscpy(). Signed-off-by: Armin Wolf --- drivers/acpi/battery.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) -- 2.30.2 diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index fb64bd217d82..0ec12a7dbcca 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -437,16 +437,25 @@ static int extract_package(struct acpi_battery *battery, element = &package->package.elements[i]; if (offsets[i].mode) { u8 *ptr = (u8 *)battery + offsets[i].offset; + u32 len = 32; - if (element->type == ACPI_TYPE_STRING || - element->type == ACPI_TYPE_BUFFER) - strscpy(ptr, element->string.pointer, 32); - else if (element->type == ACPI_TYPE_INTEGER) { - strncpy(ptr, (u8 *)&element->integer.value, - sizeof(u64)); - ptr[sizeof(u64)] = 0; - } else + switch (element->type) { + case ACPI_TYPE_BUFFER: + if (len > element->buffer.length + 1) + len = element->buffer.length + 1; + + fallthrough; + case ACPI_TYPE_STRING: + strscpy(ptr, element->string.pointer, len); + + break; + case ACPI_TYPE_INTEGER: + strscpy(ptr, (u8 *)&element->integer.value, sizeof(u64) + 1); + + break; + default: *ptr = 0; /* don't have value */ + } } else { int *x = (int *)((u8 *)battery + offsets[i].offset); *x = (element->type == ACPI_TYPE_INTEGER) ? From patchwork Thu Jan 19 14:21:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Wolf X-Patchwork-Id: 13108123 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6CB01C004D4 for ; Thu, 19 Jan 2023 14:21:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231421AbjASOVc (ORCPT ); Thu, 19 Jan 2023 09:21:32 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44512 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231400AbjASOVb (ORCPT ); Thu, 19 Jan 2023 09:21:31 -0500 Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id EDE262133; Thu, 19 Jan 2023 06:21:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.de; s=s31663417; t=1674138084; bh=FbzFEzuuOBe33q11CFVBIBSo/Y1oAjkTiJWrAEWEqic=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=TT1kq7kRKlPGtrx20q3/N8fwu35DUfzhcd6lFHmJQbiIl1fCmawUIs+MmOv3z1eWF W6n35jNDW+4Da88joR8vnmYwp3O6YbDiVeBTz6Rs96by/+sVK+NNs54TFFQHzYwyO2 t5p55wZVZ9uaME9MphGtMehbXK7yRBnNbP7iLB9Gm7+65HK6zCT89ftCeVUHeBBQ4m aBZOtLgEM5xwNbHy/QCohzy/9LaBhabeT3JufoteG/5UuaKL3m94/PQGOAcroZr1tG ZX3/G+jSqwP8pYcehd2PO1rhwRDIrG/f63EIA9wNwv+aM7KB8HsfaVvRxdAqC4IbP6 0X0+ZD3BuJGzg== X-UI-Sender-Class: 724b4f7f-cbec-4199-ad4e-598c01a50d3a Received: from esprimo-mx.users.agdsn.de ([141.30.226.129]) by mail.gmx.net (mrgmx105 [212.227.17.168]) with ESMTPSA (Nemesis) id 1N1wll-1oY9KU3S6T-012Kxv; Thu, 19 Jan 2023 15:21:23 +0100 From: Armin Wolf To: rafael@kernel.org, lenb@kernel.org Cc: linux-acpi@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 2/2] ACPI: battery: Increase maximum string length Date: Thu, 19 Jan 2023 15:21:15 +0100 Message-Id: <20230119142115.38260-3-W_Armin@gmx.de> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230119142115.38260-1-W_Armin@gmx.de> References: <20230119142115.38260-1-W_Armin@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:Y3hAPY55nvDn9rP2gASyCOXpuGfBLwCogm7hwp0Tnep1QK6uiac LuqzC4m83H3JtbkuV4ZEOawFUqdOPTpNKQF4/nD50SjMN598qThYEPjHukKiUi612nI4Ci5 AmFshQzuWuFxMGcStciFMpb+fzBiDo5NUhU2QCo5hTTaV3iZ9f6D6qQCblPd/2e7Wv2o3SF sj7SrOo4r+FrDg2MHJ17Q== UI-OutboundReport: notjunk:1;M01:P0:G5itjEFB8KM=;KJg7/i6h1k50KxlPzDDYmbwiYSO ISQv2r4FcKmycbXNE+ocD67ms9N/gj95R0gVSCJ6ZjzWW5+U26sclZQJ9xOHJQIIWsWJqb6VO FxGXZsegkP19Km36UIwmpIfYsWAIi0RZmoHWbHyK0LSG4KwQuoCxsB8hq6N21byXoe+0PDi7p l/H5uZp4OAacFIQan0GeBc0OsU4fXQAOBUZ2wvCm2NOqFO1I3xBgpEWHgd8+D+wQmx4PdzVWG dznrF9K44Y7YGOpGdujXkN4BvZCByjAvYAUOxOmagv+bnn/dlamgYdEEMq6F2payLw7FzBqFq QNbkzdh6YNAqGgKYKmAfisHc3tcBViNQUw1FhaaMGO9iN970GqgjdtNtok+9NnYgvfEVgsg7l gqzDFmoggQqhjXGLlUlH4dxxYNeq8U/4n3KKdkQjXN6Ypzl4mPnCz6i1pzwC/CJjRt3SYIYo4 kyIyUji6+UrD29AL2CRYxuW2KWYBryLg73DE8R0jDenUYYhK1LwFOMg0JpWPYVzzJ/zJ8iV/4 EMqwBkNtv77G1W2cMIOwUzhXRHh3WoLaH24MvmvU+cvTYOKaWRSxt80DytPEQPPVDm06RpDaF B9OS3hExK/qv60K0Ka9SbWVyBBGRZCph94UL6R6M6Zb2qWzVwChMzj7T2Lxr83WQq063atdTt OV6hXaWD38eun2D1ucDw6GlY7V3/i7q2I/lNSiOyh68KZJWRJ0u2oSRlGvPjcx2uLUU8j2MQo 0gAGQ5Y7fIWU/wa/FsWIfSyCnWuPRK0DtFtGM+/KV35f+0fAY4h1IqvQlHROvp3flwIh97h8C leFJS3KQmPRvGCKsjyuVYn+ghf6A9nBJaYOtBkApIDkQ2FFl9KX1g720OjjyZJ6sT61W7uXcI 2VlAyuP2x9BHGUa6HQNcKXPQTHE9exi8hWVnVX1D//+VxLNK2ifdvTTVs4qZ3evXzkSPopUx5 Fw2rnyTuezGFOd95KGI2EUcvQQk= Precedence: bulk List-ID: X-Mailing-List: linux-acpi@vger.kernel.org On the Dell Inspiron 3505, the battery model name is represented as a hex string containing seven numbers, causing it to be larger than the current maximum string length (32). Increase this length to 64 to avoid truncating the string in such cases. Also introduce a common define for the length. Signed-off-by: Armin Wolf --- drivers/acpi/battery.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) -- 2.30.2 diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c index 0ec12a7dbcca..9c67ed02d797 100644 --- a/drivers/acpi/battery.c +++ b/drivers/acpi/battery.c @@ -42,6 +42,8 @@ #define ACPI_BATTERY_STATE_CHARGING 0x2 #define ACPI_BATTERY_STATE_CRITICAL 0x4 +#define MAX_STRING_LENGTH 64 + MODULE_AUTHOR("Paul Diefenbaugh"); MODULE_AUTHOR("Alexey Starikovskiy "); MODULE_DESCRIPTION("ACPI Battery Driver"); @@ -118,10 +120,10 @@ struct acpi_battery { int capacity_granularity_1; int capacity_granularity_2; int alarm; - char model_number[32]; - char serial_number[32]; - char type[32]; - char oem_info[32]; + char model_number[MAX_STRING_LENGTH]; + char serial_number[MAX_STRING_LENGTH]; + char type[MAX_STRING_LENGTH]; + char oem_info[MAX_STRING_LENGTH]; int state; int power_unit; unsigned long flags; @@ -437,7 +439,7 @@ static int extract_package(struct acpi_battery *battery, element = &package->package.elements[i]; if (offsets[i].mode) { u8 *ptr = (u8 *)battery + offsets[i].offset; - u32 len = 32; + u32 len = MAX_STRING_LENGTH; switch (element->type) { case ACPI_TYPE_BUFFER: