[PATCH] ASoC: SOF: debug: Fix a potential issue on string buffer termination
The function simple_write_to_buffer() doesn't add string termination at the end of buf, we need to add it on our own if calling that function to write the size of count chars to buf. This change refers to the function tokenize_input() in debug.c and the function sof_dfsentry_trace_filter_write() in trace.c.
We didn't find this potential issue in the past because sometimes we are very lucky, we kzalloc the size of count buf, the kernel not only returns a buf with buf[0 ... (count - 1)] = 0 but buf[count] = 0, with this luck, this issue will not be exposed.
Fixes: 091c12e1f50c ("ASoC: SOF: debug: add new debugfs entries for IPC flood test") Signed-off-by: Hui Wang hui.wang@canonical.com --- sound/soc/sof/debug.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/soc/sof/debug.c b/sound/soc/sof/debug.c index 30213a1beaaa..edd4893119dd 100644 --- a/sound/soc/sof/debug.c +++ b/sound/soc/sof/debug.c @@ -352,9 +352,10 @@ static ssize_t sof_dfsentry_write(struct file *file, const char __user *buffer, char *string; int ret;
- string = kzalloc(count, GFP_KERNEL); + string = kzalloc(count+1, GFP_KERNEL); if (!string) return -ENOMEM; + string[count] = '\0';
size = simple_write_to_buffer(string, count, ppos, buffer, count); ret = size;
Hi,
On Mon, 8 Feb 2021, Hui Wang wrote:
The function simple_write_to_buffer() doesn't add string termination at the end of buf, we need to add it on our own if calling that function to write the size of count chars to buf. This change refers to the function tokenize_input() in debug.c and the function sof_dfsentry_trace_filter_write() in trace.c.
[...]
--- a/sound/soc/sof/debug.c +++ b/sound/soc/sof/debug.c @@ -352,9 +352,10 @@ static ssize_t sof_dfsentry_write(struct file *file, const char __user *buffer, char *string; int ret;
- string = kzalloc(count, GFP_KERNEL);
- string = kzalloc(count+1, GFP_KERNEL);
ouch, good catch, thanks! We have this correct in soc/sof/trace.c, but not here. To keep up with kernel style, maybe:
+ string = kzalloc(count + 1, GFP_KERNEL);
if (!string) return -ENOMEM;
- string[count] = '\0';
kzalloc() returns zeros, so no need for this.
Br, Kai
On 2/8/21 5:32 PM, Kai Vehmanen wrote:
Hi,
On Mon, 8 Feb 2021, Hui Wang wrote:
The function simple_write_to_buffer() doesn't add string termination at the end of buf, we need to add it on our own if calling that function to write the size of count chars to buf. This change refers to the function tokenize_input() in debug.c and the function sof_dfsentry_trace_filter_write() in trace.c.
[...]
--- a/sound/soc/sof/debug.c +++ b/sound/soc/sof/debug.c @@ -352,9 +352,10 @@ static ssize_t sof_dfsentry_write(struct file *file, const char __user *buffer, char *string; int ret;
- string = kzalloc(count, GFP_KERNEL);
- string = kzalloc(count+1, GFP_KERNEL);
ouch, good catch, thanks! We have this correct in soc/sof/trace.c, but not here. To keep up with kernel style, maybe:
- string = kzalloc(count + 1, GFP_KERNEL);
if (!string) return -ENOMEM;
- string[count] = '\0';
kzalloc() returns zeros, so no need for this.
Right, Other places use kmalloc(), here kzalloc() doesn't need to set 0. Will drop it in the v2.
Thanks.
Hui.
Br, Kai
participants (2)
-
Hui Wang -
Kai Vehmanen