From patchwork Fri Sep 9 07:02:51 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Geert Uytterhoeven X-Patchwork-Id: 9322475 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 2FA4660231 for ; Fri, 9 Sep 2016 07:02:55 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2296929C75 for ; Fri, 9 Sep 2016 07:02:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 16BD729C78; Fri, 9 Sep 2016 07:02:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.5 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 69C7329C77 for ; Fri, 9 Sep 2016 07:02:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752079AbcIIHCy (ORCPT ); Fri, 9 Sep 2016 03:02:54 -0400 Received: from baptiste.telenet-ops.be ([195.130.132.51]:36051 "EHLO baptiste.telenet-ops.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751981AbcIIHCx (ORCPT ); Fri, 9 Sep 2016 03:02:53 -0400 Received: from ayla.of.borg ([84.193.137.253]) by baptiste.telenet-ops.be with bizsmtp id hK2r1t0015UCtCs01K2rlZ; Fri, 09 Sep 2016 09:02:51 +0200 Received: from ramsan.of.borg ([192.168.97.29] helo=ramsan) by ayla.of.borg with esmtp (Exim 4.82) (envelope-from ) id 1biFpr-000644-FC; Fri, 09 Sep 2016 09:02:51 +0200 Received: from geert by ramsan with local (Exim 4.82) (envelope-from ) id 1biFpv-00076x-AE; Fri, 09 Sep 2016 09:02:55 +0200 From: Geert Uytterhoeven To: Mark Brown Cc: linux-spi@vger.kernel.org, Adrian Remonda , linux-kernel@vger.kernel.org, Geert Uytterhoeven , Subject: [PATCH v2] spi: spidev_test: Fix buffer overflow in unescape() Date: Fri, 9 Sep 2016 09:02:51 +0200 Message-Id: <1473404571-27302-1-git-send-email-geert+renesas@glider.be> X-Mailer: git-send-email 1.9.1 Sender: linux-spi-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-spi@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Sometimes spidev_test crashes with: *** Error in `spidev_test': munmap_chunk(): invalid pointer: 0x00022020 *** Aborted or just Segmentation fault This is due to transfer_escaped_string() miscalculating the required size of the buffer by one byte, causing a buffer overflow in unescape(). Drop the bogus "+ 1" in the strlen() parameter to fix this. Note that unescape() never copies the zero-terminator of the source string, so it writes at most as many bytes as the length of the source string. Signed-off-by: Geert Uytterhoeven Fixes: 30061915be6e3a2c ("spi: spidev_test: Added input buffer from the terminal") Cc: # v4.5+ --- v2: - As unescape() doesn't copy the zero-terminator, it's an off-by-one not off-by-two bug, and the "+ 1" should just be dropped. The bug is present in all kernel sources since v4.1, but in v4.5 the code was changed, and the source file was moved. The fix for older kernels is straight-forward, there's only a single strlen() call in Documentation/spi/spidev_test.c: - size = strlen(input_tx+1); + size = strlen(input_tx); If you want, I can send a patch against v4.4 (for v4.1..v4.4) later. --- tools/spi/spidev_test.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/spi/spidev_test.c b/tools/spi/spidev_test.c index 1eaa4de6605bd935..f046b77cfefe3056 100644 --- a/tools/spi/spidev_test.c +++ b/tools/spi/spidev_test.c @@ -285,7 +285,7 @@ static void parse_opts(int argc, char *argv[]) static void transfer_escaped_string(int fd, char *str) { - size_t size = strlen(str + 1); + size_t size = strlen(str); uint8_t *tx; uint8_t *rx;