From patchwork Tue Dec  1 17:23:50 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Prakash, Prashanth" <pprakash@codeaurora.org>
X-Patchwork-Id: 7739131
Return-Path: <linux-acpi-owner@kernel.org>
X-Original-To: patchwork-linux-acpi@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id 0BB23BEEE1
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Tue,  1 Dec 2015 17:24:15 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id A78922069B
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Tue,  1 Dec 2015 17:24:12 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id AAB7A20678
	for <patchwork-linux-acpi@patchwork.kernel.org>;
	Tue,  1 Dec 2015 17:24:11 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756222AbbLARXy (ORCPT
	<rfc822;patchwork-linux-acpi@patchwork.kernel.org>);
	Tue, 1 Dec 2015 12:23:54 -0500
Received: from smtp.codeaurora.org ([198.145.29.96]:51973 "EHLO
	smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755546AbbLARXx (ORCPT
	<rfc822; linux-acpi@vger.kernel.org>); Tue, 1 Dec 2015 12:23:53 -0500
Received: from smtp.codeaurora.org (localhost [127.0.0.1])
	by smtp.codeaurora.org (Postfix) with ESMTP id D4D0D1410A9;
	Tue,  1 Dec 2015 17:23:52 +0000 (UTC)
Received: by smtp.codeaurora.org (Postfix, from userid 486)
	id C45131410E3; Tue,  1 Dec 2015 17:23:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
Received: from [10.226.58.87] (i-global254.qualcomm.com [199.106.103.254])
	(using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: pprakash@smtp.codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id A7BEE1410BC;
	Tue,  1 Dec 2015 17:23:51 +0000 (UTC)
Subject: Re: [PATCH v2 5/5] ACPI / processor_idle: Add support for Low Power
	Idle(LPI) states
To: Ashwin Chaugule <ashwin.chaugule@linaro.org>,
	Sudeep Holla <sudeep.holla@arm.com>
References: <1438710406-3822-1-git-send-email-sudeep.holla@arm.com>
	<1442411963-14398-1-git-send-email-sudeep.holla@arm.com>
	<1442411963-14398-6-git-send-email-sudeep.holla@arm.com>
	<CAJ5Y-ebOPE1oamRk31nxL6VkgSdDd6AmEe2Fw1ku5pGt25D2Rg@mail.gmail.com>
Cc: linux acpi <linux-acpi@vger.kernel.org>,
	"Rafael J. Wysocki" <rjw@rjwysocki.net>,
	lkml <linux-kernel@vger.kernel.org>, linux-ia64@vger.kernel.org,
	x86@kernel.org, Al Stone <al.stone@linaro.org>,
	Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>,
	Mahesh Sivasubramanian <msivasub@codeaurora.org>, wufan@codeaurora.org
From: "Prakash, Prashanth" <pprakash@codeaurora.org>
Message-ID: <565DD7A6.1000802@codeaurora.org>
Date: Tue, 1 Dec 2015 10:23:50 -0700
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101
	Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: 
 <CAJ5Y-ebOPE1oamRk31nxL6VkgSdDd6AmEe2Fw1ku5pGt25D2Rg@mail.gmail.com>
X-Virus-Scanned: ClamAV using ClamSMTP
Sender: linux-acpi-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-acpi.vger.kernel.org>
X-Mailing-List: linux-acpi@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Hi Sudeep,
>> +static void combine_lpi_states(struct acpi_processor_lpi *l_lpi,
>> +                              struct acpi_processor_lpi *p_lpi,
>> +                              struct acpi_processor_lpi *c_lpi)
>> +{
>> +       c_lpi->min_residency = max(l_lpi->min_residency, p_lpi->min_residency);
>> +       c_lpi->wake_latency = l_lpi->wake_latency + p_lpi->wake_latency;
>> +       c_lpi->enable_parent_state = p_lpi->enable_parent_state;
>> +       c_lpi->entry_method = l_lpi->entry_method;
>> +       c_lpi->address = l_lpi->address + p_lpi->address;
>> +       c_lpi->index = p_lpi->index;
>> +       c_lpi->flags = p_lpi->flags;
>> +       c_lpi->arch_flags = p_lpi->arch_flags;
>> +       strncpy(c_lpi->desc, l_lpi->desc, ACPI_CX_DESC_LEN);
>> +       strncat(c_lpi->desc, "+", ACPI_CX_DESC_LEN);
>> +       strncat(c_lpi->desc, p_lpi->desc, ACPI_CX_DESC_LEN);
>> +}
I suppose you meant to use strl* instead of strn* operations.  Below is a
simple patch to fix these. Can you please fold these changes into your next
version as well?

ACPI / Processor: fix buffer overflow caused by strncat/strncpy

The misuse of strncat in LPI code is causing buffer overflow. The fix
is to replace strncat with strlcat.

Signed-off-by: Fan Wu <wufan@codeaurora.org>
Signed-off-by: Prashanth Prakash <pprakash@codeaurora.org>
---

 drivers/acpi/processor_idle.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
index af851f1..4ca42a7 100644
--- a/drivers/acpi/processor_idle.c
+++ b/drivers/acpi/processor_idle.c
@@ -856,7 +856,7 @@ static int acpi_processor_setup_cstates(struct acpi_processor *pr)
 
 		state = &drv->states[count];
 		snprintf(state->name, CPUIDLE_NAME_LEN, "C%d", i);
-		strncpy(state->desc, cx->desc, CPUIDLE_DESC_LEN);
+		strlcpy(state->desc, cx->desc, CPUIDLE_DESC_LEN);
 		state->exit_latency = cx->latency;
 		state->target_residency = cx->latency * latency_factor;
 		state->enter = acpi_idle_enter;
@@ -1009,7 +1009,7 @@ static int acpi_processor_evaluate_lpi(acpi_handle handle,
 
 		obj = &element->package.elements[9];
 		if (obj->type == ACPI_TYPE_STRING)
-			strncpy(lpix->desc, obj->string.pointer, ACPI_CX_DESC_LEN);
+			strlcpy(lpix->desc, obj->string.pointer, ACPI_CX_DESC_LEN);
 
 		lpix->index = state_count;
 
@@ -1068,9 +1068,9 @@ static void combine_lpi_states(struct acpi_processor_lpi *l_lpi,
 	c_lpi->index = p_lpi->index;
 	c_lpi->flags = p_lpi->flags;
 	c_lpi->arch_flags = p_lpi->arch_flags;
-	strncpy(c_lpi->desc, l_lpi->desc, ACPI_CX_DESC_LEN);
-	strncat(c_lpi->desc, "+", ACPI_CX_DESC_LEN);
-	strncat(c_lpi->desc, p_lpi->desc, ACPI_CX_DESC_LEN);
+	strlcpy(c_lpi->desc, l_lpi->desc, ACPI_CX_DESC_LEN);
+	strlcat(c_lpi->desc, "+", ACPI_CX_DESC_LEN);
+	strlcat(c_lpi->desc, p_lpi->desc, ACPI_CX_DESC_LEN);
 }
 
 static int flatten_lpi_states(struct acpi_processor *pr,
@@ -1190,7 +1190,7 @@ static int acpi_processor_setup_lpi_states(struct acpi_processor *pr)
 
 		state = &drv->states[i];
 		snprintf(state->name, CPUIDLE_NAME_LEN, "LPI-%d", i);
-		strncpy(state->desc, lpi->desc, CPUIDLE_DESC_LEN);
+		strlcpy(state->desc, lpi->desc, CPUIDLE_DESC_LEN);
 		state->exit_latency = lpi->wake_latency;
 		state->target_residency = lpi->min_residency;
 		if (lpi->arch_flags)