On Tue, Jan 14, 2020 at 10:14:55AM +0200, Kamal Heib wrote:
> Make sure to return -EINVAL when the supplied string is bigger then
> the node_desc array.
>
> Fixes: c5bcbbb9fe00 ("IB: Allow userspace to set node description")
> Signed-off-by: Kamal Heib <kamalheib1@xxxxxxxxx>
> ---
> drivers/infiniband/core/sysfs.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/infiniband/core/sysfs.c b/drivers/infiniband/core/sysfs.c
> index 087682e6969e..aa90a42d6565 100644
> --- a/drivers/infiniband/core/sysfs.c
> +++ b/drivers/infiniband/core/sysfs.c
> @@ -1268,7 +1268,9 @@ static ssize_t node_desc_store(struct device *device,
> if (!dev->ops.modify_device)
> return -EOPNOTSUPP;
>
> - memcpy(desc.node_desc, buf, min_t(int, count, IB_DEVICE_NODE_DESC_MAX));
> + if (strscpy(desc.node_desc, buf, sizeof(desc.node_desc)) == -E2BIG)
> + return -EINVAL;
> +
So, while this is the preferred code, when I checked on how this all
works what I found was madness.
The desc.node_desc is not a string. It is an array of 64 bytes, where
all 64 bits can be valid without a null termination.
Code that accesses the array like:
drivers/infiniband/core/sysfs.c: return sprintf(buf, "%.64s\n", dev->node_desc);
Is 'correct', while code like this:
drivers/infiniband/hw/bnxt_re/main.c: return scnprintf(buf, PAGE_SIZE, "%s\n", rdev->ibdev.node_desc);
Is wrong, it could run past the end of the character array.
Obviously this is all insane. If I apply your patch then userspace
looses the ability to have a 64 character node description.
If you want to persue this then please fix the underlying issue - make
node_desc into an always null terminated string:
- Increase the width to 65
- Never use memcpy to manipulate it
- Devices should set it from the mad/device array using
scnprintf(dev->node_desc, sizeof(dev->node_desc), "%.64s\n", mad_desc)
Perhaps this should be a helper function
- Devices should read it into a MAD format using some approach
zero fills
- Get rid of all the .64 format strings
Thanks,
Jason
