From patchwork Sun Apr 28 08:28:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Kiszka X-Patchwork-Id: 13645922 Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on2082.outbound.protection.outlook.com [40.107.14.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 56A9D53807; Sun, 28 Apr 2024 08:28:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=fail smtp.client-ip=40.107.14.82 ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714292931; cv=fail; b=M5xWA0vgNBRBSxv5+5fB7f8xSw9uJbn5L3+WpKnSNmii/1VuZ+mE/Mx3uBtb6NO6RNosvcxyYGg5Q5JPUQDL9eswjs06bO1kZGMpwJNZwpV93uc5DkFVzz8gRDosyHxEwZLc2/aopgrr6ANnu8QgoWicXT+a3WO2D2fpCIgF5GE= ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714292931; c=relaxed/simple; bh=ogkw0Vt4ODmbZa3jCzquroP7SHcTyp81DkvoQxiMfnw=; h=Message-ID:Date:From:Subject:To:Cc:Content-Type:MIME-Version; b=lt0DdNttJYlqwBOcE0Oxlv+DtOhbKV6bXk+7g77xHPlV1s1YNMNjRn/+FnPRl3i1YfqRFB7kNcem7U0yWXkB9V8z5CEjHOLPIJvqI+P+TjQW79A5i0lelmyTsr7nc5ghEX3L4f1bouJmAVcAGDBypv0NAzYO6rQyJM6QG4d4BfA= ARC-Authentication-Results: i=2; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com; spf=pass smtp.mailfrom=siemens.com; dkim=pass (2048-bit key) header.d=siemens.com header.i=@siemens.com header.b=chWBuI8/; arc=fail smtp.client-ip=40.107.14.82 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=siemens.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=siemens.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=siemens.com header.i=@siemens.com header.b="chWBuI8/" ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MksL1OjG56hmwMpeaSjtPhH8Qy4/tE29Mt/oqEbFW38CAV/ur4AP4B3qW0d61iFDYKWe3ocylx0us29cFJ0g+dM9NYs4eTIQ8Z0uhUrJciYvBQK8mtr5ry4807RHpT7B1JttG7eKdN5PotHGBK0U2D8aXLN+q8KKmtaTSQZ4NpXAlBL0ITA/bPV5zwuO6XRLCFjexteVboGsqdPl0kCQjAzUDXfrYkKMxHCfK/jd97Xbp5op32letmG+kF8etcrb1SnimBfkOFw/YX7xVwWdn4K2Fdmyp6EJwU935uafW3EJzN7bxL6WuP938AQDsmaa2w0Hfwv0lGSwPSRnppdAAg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ddL+H7gfL6kK702PSO3E8tiJYxYPDySQgKXJlGORC3c=; b=Q6FCgOSzTR5KOhbK8oyvCZI/gYrGLURflOj+xII7fxX2JvlBKBFyOaWD5pmsP3sUMqqUFC6kRwkXJWzd78GquMRUN/d+SlJfUrGDGvARPuc5l7HeRzleix6afhAGgkeIVe5Tbepz4we39bhq+kv/SpYj0cUhP4VH+EbNehx5KrhJkAYiFpGhMj9xzXUvSZi5EAlsyNq+ca3ami9fqa6VLI/zCr4fFzogoDocHcyNJ+lZIpo/l5AWf5QPQGbSFQxE2emHHGEfEbalsH8Y+zT1e6xPAO0lzR4bgqGL+v5QQNw8jWHhG4H4hLM+5HZsJcJbsQ1euxMLW03JyV23YRzbaA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ddL+H7gfL6kK702PSO3E8tiJYxYPDySQgKXJlGORC3c=; b=chWBuI8/2cdT3FVwIvQ5y+NgSDuILaPeuGmFHnE7IQDFLAvWk9w+etcXxhqD68FSEXBff3xIYC+O+gVyTpeJcRo/GWXisBEIN9+l8Ls8jGL+K+Q5Jnnw1GZ+nDguJsq61HbGEhh0rosb7ilhEW2tmGjbZQMxC6cLOeubrzSNfbnjWD6SxRkoJvnj7lz4S/en2EnfKhder1ldmM2SKoIEhHSwsD04piSP4tmqKMXx2DnoOt9Lob5Aby4T4PW5tMkXDDnhC5fzWzbsNWSsJnDXWnk/Vr2oS1ZFqI1oWRy9/JnOAId7H2L5ap/n7I0OIcYy/aXXN44jWa/ggWNG4Qq4ag== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com; Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by GV2PR10MB7558.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:d6::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7519.32; Sun, 28 Apr 2024 08:28:45 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::8fe1:7e71:cf4a:7408]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::8fe1:7e71:cf4a:7408%6]) with mapi id 15.20.7519.031; Sun, 28 Apr 2024 08:28:44 +0000 Message-ID: <8a59f3b2-48b0-4a62-ab54-61f8d6068cbc@siemens.com> Date: Sun, 28 Apr 2024 10:28:42 +0200 User-Agent: Mozilla Thunderbird From: Jan Kiszka Subject: [PATCH 5.10.y] PM / devfreq: Fix buffer overflow in trans_stat_show Content-Language: en-US To: Greg Kroah-Hartman , Sasha Levin , "stable@vger.kernel.org" Cc: Christian Marangi , Chanwoo Choi , Johnny Liu , Jon Hunter , Linux PM list X-ClientProxiedBy: FR0P281CA0227.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:b2::7) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) Precedence: bulk X-Mailing-List: linux-pm@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|GV2PR10MB7558:EE_ X-MS-Office365-Filtering-Correlation-Id: 0a0961e8-fb40-4bbb-bb46-08dc675d37cb X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|1800799015|366007; X-Microsoft-Antispam-Message-Info: =?utf-8?q?c2CLTyVgZPrkU80vxTohY6BwEZ16x4G?= =?utf-8?q?TeCvvnp/iJVLE6xl1IXMbYt2pvr4f7sTk0b4KQSpAPH5izcCLwXfzbpVSQkbuL8RY?= =?utf-8?q?H+lgjP4ucCe0T3Ni+fTfzsrLja8hAgQUXLRMuCureTD0wi4OdY5ihVWCYojmC4iS9?= =?utf-8?q?kNXWBACOAh4Bfhm7lpJsraIpqVrDaJwM2hqEvOiRJ0oPJxeTd+EeFq/oLxtmG95Gv?= =?utf-8?q?t7y5na/+yvGoIBgalAUQWM9fz4HUGHAbgAkzVc4Iw7qHqNZgFg40ag1mEx67R7TQM?= =?utf-8?q?i8s5vK0Sq4waT29KVYPRQYd46ItnWJVY+/6GcOqafzWOZUJVwQTx4nJZIKL0U59Fh?= =?utf-8?q?8x1X5d6vyWSOCEfHkQNcull3hYlJKm2+dr3Q6mKvADLKM8C7MtZo9vPyw2wka85Nk?= =?utf-8?q?bQFHrtPdxmNvDVlNnSt8fR1hgk6069xeXISk70VwWL1qsq5s+JikXH14fICEvN9sQ?= =?utf-8?q?d4FOPHKpJnyly3jFQBymOBVHq6cZhidGJN/O+x0D0ZzzQKcoMNaTmWwZYK7cKn6Zn?= =?utf-8?q?idiI+HVizNXAUZ1gKXVkHDF2SyS0oNiNHHZq2kxRBycF3b46QynAS9sr1EfelSpFL?= =?utf-8?q?g7fyOce+xKtX2wY6BVt1LgPQyo/NSWaIJdQmeH20EWwi0+n75ONjHMVEO5a8n1B2Q?= =?utf-8?q?UqPEnNspRslXNvUq2jAt7NZdSlz8hhpW9k4B6rS3tl1/NOd9Xa4Vl+nsdEcxlZfvB?= =?utf-8?q?H5l02MqmLanAZdzSKTfb7ME7c1uQWHDXUxz2D06lzTwsqfWrsUvxJRcA/0eZVaJrW?= =?utf-8?q?7iK4Vgimpbaguz4Xl1KSb2G3aBcCavp3bsZpHyVNGBEQRK/SwtECdBVtKD6TC6o5t?= =?utf-8?q?A9gYq9pW1XEVmLuWYOUST52XKEJW9z8mX9gHoxnNcwnL/Pq86oMwIGj6ytflpnrCb?= =?utf-8?q?vmueWcmf3531QKDmTtEHzpT7P5iTF2WHleAnH3FqRUISuLYzD/Jijnu0nMmfWQIn5?= =?utf-8?q?lfYpZQkM78XnADaRvW5Zr+Wl19IWjafHA7L3fd11589Px6CDL9OYU2kvkufqQto7j?= =?utf-8?q?tT1gdxo/dAvrtLKWXmIfWDR0j5QscMVM9Y2X7f2nl5n/jWs5IPx1WdrwvmUvYBXxX?= =?utf-8?q?jfdvqeNmQBuzi/Eg4HzsE4lcSmSkDjPwy3B2JWYNjmiX4BzmuTQCQBeEwxJdeGtE4?= =?utf-8?q?mVciek0Y89w03N1Mxdos5tXI8qkodraQRehRS/5K6EDcJDOjTnuiCTkop0=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?Eh3OAKF/jD24K03P65Dch60QCEiz?= =?utf-8?q?tcoZFzV84Sm5A2lGTKULxQRfNEkZKg6j+VEnplmuov29WZ1BZH7Dy0sRwceCNV59v?= =?utf-8?q?z/o7C5SkC/I9xCyvuayH+KfUDXZ/GPKvmCtTbtNUEA0NDK3HGaS9tDhwOA04SV5d5?= =?utf-8?q?3DhlTdaaZrtRzu6zg7o0MuCmO2C3+4wCiA16ZHlFFftX0l/XcMRKqwLu0wn3CH3mB?= =?utf-8?q?3ksUSoaE4jvL/FfOfgtLv8UGGou4uQHpXVqH6+s7KYkl5b7juY2/IcajG42yKlX9F?= =?utf-8?q?wWtpO+GNHP2TkNhjVhSxFDhik5888fGnW7ghy7ZzODykHqRFzgYN2/cg2aYjvRRC0?= =?utf-8?q?7tMKMCC4W9fXzCXh8eyE/bsfGLQqve4/GmDc3Fm+4B1nvOSffOspykveFM2W6Bl7Z?= =?utf-8?q?HR0l+rpZ3FCKF7EaksHbC6Y9vPGyptc7BVlOJw1709/y2S2FRHiuGcJrYa1tDs27E?= =?utf-8?q?EO0ACDoaDYfLWah/ntB3um6C1/esMe1MFAkVWNM21DROLqF239hbNboJCJwvHFxkb?= =?utf-8?q?PBOUnw2D251oCVf4ObT0D5EZpup327snzDwkj7l+t2js+MRsahzb0DH5kRswCmdDl?= =?utf-8?q?6pwomXAIbGaYELk2VEX5p7ToankC/pI+CdziBIlmltOMjaewBflu+HLN2HxTItxo/?= =?utf-8?q?Z/BCRuLJq+LbHnlJq0186gzSkV9IhBK6foVCUJ3+cYXwLEtca7+MVkrcxUOi/m6d3?= =?utf-8?q?/kfSY0X3Q2hpg6uasl0xtKF1DQ0MV+auqFDrkRmgdfgrS72k1OJV0mpUUcWhD/oxR?= =?utf-8?q?ADGiQS9jBzoI4XnvoNE0E8C5tPnq1a2PzJZ2DI+YxFOFMJNcEG9RqDSHZiVmssoFd?= =?utf-8?q?/ddjoy/BOSp9QE5qGaB8y0AFNXQaOuEjL8whXkTYJqLKGvarYpxC0xjEdVXEkFD+V?= =?utf-8?q?JoHsCUkowYqaVrddJzKWWb24/RhJQNHoU6Bs/aMbHdrfJMBmUWfQypmUDwppBDzbl?= =?utf-8?q?mCVlb4FEo3nIJf5eq3vNF4yhptsHsj7jEjy0eAZj24VUmj7/lkoXbzMlHjqEb9avH?= =?utf-8?q?XttJple5Nf3S2uV3w94Uf59kr3i1gzlPbR2PF+0TERHAD23oqArwTRRFdPL6kMjt+?= =?utf-8?q?SWqnS4p4sfFxordSoGC4GL8cbsZNWJ3kDHJRb3589Cg9qatjXaoCeKwbI3EgWns7s?= =?utf-8?q?ix8tYUJqQ+lRN6Ua20of0g60C8zYgdKGIq1SaT2R8PUwCUSSV/qoyA8wzLClZmlmS?= =?utf-8?q?jzgP/HwBkRFQx51MY90gf2TwABmdNMpKZhmwoK2LUlKR1m3jrz64GqW15zHvMwtd7?= =?utf-8?q?X4jc6Hz+/6G+gqKiFARqioLIg1EHukwMQMwMnP4z2r+gl5NXCMu3udv4YSqWudCHg?= =?utf-8?q?AJCgu3TGwwBRXwNYdeWTT+DeQ6eSX0L4a/sT2YuGk9ZmwS3hwFRUI7Xi+p7xYWU0m?= =?utf-8?q?2N/Axyvtmw+2dJViS9cnAjjq8vG/95s9Juo/qh+nYpL0NsfLyuB/a6I+BOFAaWWR4?= =?utf-8?q?/aCoaq/P/oERTCtPWPXl2ieSa/x3uDV4W4fEGrJlSMG2QLvW9qDkuHjfFYrOpV92W?= =?utf-8?q?vJDP8gcO15m3?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 0a0961e8-fb40-4bbb-bb46-08dc675d37cb X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2024 08:28:44.6709 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: OVniWVMBxUB79k+1yK+seYXhcFOFF6ipFxfsf/yMOSJUf9hbC47OU4Ws6Uj79gs5zsNgRasOyRfKogi1JkHBdg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2PR10MB7558 From: Christian Marangi [ Upstream commit 08e23d05fa6dc4fc13da0ccf09defdd4bbc92ff4 ] Fix buffer overflow in trans_stat_show(). Convert simple snprintf to the more secure scnprintf with size of PAGE_SIZE. Add condition checking if we are exceeding PAGE_SIZE and exit early from loop. Also add at the end a warning that we exceeded PAGE_SIZE and that stats is disabled. Return -EFBIG in the case where we don't have enough space to write the full transition table. Also document in the ABI that this function can return -EFBIG error. Link: https://lore.kernel.org/all/20231024183016.14648-2-ansuelsmth@gmail.com/ Cc: stable@vger.kernel.org Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218041 Fixes: e552bbaf5b98 ("PM / devfreq: Add sysfs node for representing frequency transition information.") Signed-off-by: Christian Marangi Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin Signed-off-by: Jan Kiszka --- Original found by someone at Nvidia. But this backport is based on the 5.15 commit (796d3fad8c35ee9df9027899fb90ceaeb41b958f) where only a conflict in sysfs-class-devfreq needed manual resolution. Documentation/ABI/testing/sysfs-class-devfreq | 3 + drivers/devfreq/devfreq.c | 59 +++++++++++++------ 2 files changed, 43 insertions(+), 19 deletions(-) diff --git a/Documentation/ABI/testing/sysfs-class-devfreq b/Documentation/ABI/testing/sysfs-class-devfreq index b8ebff4b1c4c..4514cf9fc7a1 100644 --- a/Documentation/ABI/testing/sysfs-class-devfreq +++ b/Documentation/ABI/testing/sysfs-class-devfreq @@ -66,6 +66,9 @@ Description: echo 0 > /sys/class/devfreq/.../trans_stat + If the transition table is bigger than PAGE_SIZE, reading + this will return an -EFBIG error. + What: /sys/class/devfreq/.../userspace/set_freq Date: September 2011 Contact: MyungJoo Ham diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c index 216594b86119..93df6cef4f5a 100644 --- a/drivers/devfreq/devfreq.c +++ b/drivers/devfreq/devfreq.c @@ -1639,7 +1639,7 @@ static ssize_t trans_stat_show(struct device *dev, struct device_attribute *attr, char *buf) { struct devfreq *df = to_devfreq(dev); - ssize_t len; + ssize_t len = 0; int i, j; unsigned int max_state; @@ -1648,7 +1648,7 @@ static ssize_t trans_stat_show(struct device *dev, max_state = df->profile->max_state; if (max_state == 0) - return sprintf(buf, "Not Supported.\n"); + return scnprintf(buf, PAGE_SIZE, "Not Supported.\n"); mutex_lock(&df->lock); if (!df->stop_polling && @@ -1658,33 +1658,54 @@ static ssize_t trans_stat_show(struct device *dev, } mutex_unlock(&df->lock); - len = sprintf(buf, " From : To\n"); - len += sprintf(buf + len, " :"); - for (i = 0; i < max_state; i++) - len += sprintf(buf + len, "%10lu", - df->profile->freq_table[i]); + len += scnprintf(buf + len, PAGE_SIZE - len, " From : To\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, " :"); + for (i = 0; i < max_state; i++) { + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu", + df->profile->freq_table[i]); + } + if (len >= PAGE_SIZE - 1) + return PAGE_SIZE - 1; - len += sprintf(buf + len, " time(ms)\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, " time(ms)\n"); for (i = 0; i < max_state; i++) { + if (len >= PAGE_SIZE - 1) + break; if (df->profile->freq_table[i] == df->previous_freq) { - len += sprintf(buf + len, "*"); + len += scnprintf(buf + len, PAGE_SIZE - len, "*"); } else { - len += sprintf(buf + len, " "); + len += scnprintf(buf + len, PAGE_SIZE - len, " "); + } + if (len >= PAGE_SIZE - 1) + break; + + len += scnprintf(buf + len, PAGE_SIZE - len, "%10lu:", + df->profile->freq_table[i]); + for (j = 0; j < max_state; j++) { + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10u", + df->stats.trans_table[(i * max_state) + j]); } - len += sprintf(buf + len, "%10lu:", - df->profile->freq_table[i]); - for (j = 0; j < max_state; j++) - len += sprintf(buf + len, "%10u", - df->stats.trans_table[(i * max_state) + j]); + if (len >= PAGE_SIZE - 1) + break; + len += scnprintf(buf + len, PAGE_SIZE - len, "%10llu\n", (u64) + jiffies64_to_msecs(df->stats.time_in_state[i])); + } + + if (len < PAGE_SIZE - 1) + len += scnprintf(buf + len, PAGE_SIZE - len, "Total transition : %u\n", + df->stats.total_trans); - len += sprintf(buf + len, "%10llu\n", (u64) - jiffies64_to_msecs(df->stats.time_in_state[i])); + if (len >= PAGE_SIZE - 1) { + pr_warn_once("devfreq transition table exceeds PAGE_SIZE. Disabling\n"); + return -EFBIG; } - len += sprintf(buf + len, "Total transition : %u\n", - df->stats.total_trans); return len; }