On 06. 11. 21, 21:48, Pavel Skripkin wrote:
On 11/6/21 23:44, Ajay Garg wrote:
>
> That's the whole point of the discussion :)
>
> The method "vt_do_kdgkb_ioctl" does not manage "func_table[kb_func]".
> Thus, the method does not know whether or not
> strlen(func_table[kb_func]) < sizeof(user_kdgkb->kb_string).
>
It manages. The code under `case KDSKBSENT:` sets func_table[] entries
via vt_kdskbsent().
kbs = strndup_user(..., sizeof(user_kdgkb->kb_string));
is used to allocate buffer for the func_table[] entry. That's my main
point :)
func_table is set in vt_kdskbent, which itself is external.
More importantly, vt_kdskbent is handled in case KDSKBSENT:, while the
strlcpy issue we are dealing with is in case KDGKBSENT:
In case KDGKBSENT, following are managed :
ssize_t len = sizeof(user_kdgkb->kb_string);
kbs = kmalloc(len, GFP_KERNEL);
while func_table[kb_func] is external entity here, so no assumption
ought to be made for it, just my 2 cents though :)
Anyhow, really, it is the maintainers' choice now :), since there
isn't a burning (compilation/runtime) issue.
I fully agree here, it's maintainer's choice. Let's sit down and wait
what experienced people thing about this :)
I don't quite understand what the problem is. Provided I wrote the code,
is there something wrong with this commit (and its explanation), in
particular?
commit 6ca03f90527e499dd5e32d6522909e2ad390896b
Author: Jiri Slaby <jirislaby@xxxxxxxxxx>
Date: Mon Oct 19 10:55:16 2020 +0200
vt: keyboard, simplify vt_kdgkbsent
Use 'strlen' of the string, add one for NUL terminator and simply do
'copy_to_user' instead of the explicit 'for' loop. This makes the
KDGKBSENT case more compact.
The only thing we need to take care about is NULL 'func_table[i]'. Use
an empty string in that case.
The original check for overflow could never trigger as the func_buf
strings are always shorter or equal to 'struct kbsentry's.
thanks,
--
js
suse labs
