On Fri, 2021-01-08 at 21:02 +0100, Johannes Berg wrote:
> This looks wrong to me, am I missing something?
>
> > diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c
> > index 9135b6f..9991a6a 100644
> > --- a/net/mac80211/debugfs.c
> > +++ b/net/mac80211/debugfs.c
> > @@ -120,7 +120,6 @@ static ssize_t aqm_write(struct file *file,
> > {
> > struct ieee80211_local *local = file->private_data;
> > char buf[100];
> > - size_t len;
> >
> > if (count > sizeof(buf))
> > return -EINVAL;
>
> This ensures that count <= sizeof(buf)
>
> > @@ -128,10 +127,10 @@ static ssize_t aqm_write(struct file *file,
> > if (copy_from_user(buf, user_buf, count))
> > return -EFAULT;
>
> We copy, that's fine.
>
> > - buf[sizeof(buf) - 1] = '\0';
> > - len = strlen(buf);
> > - if (len > 0 && buf[len-1] == '\n')
> > - buf[len-1] = 0;
> > + if (count && buf[count - 1] == '\n')
> > + buf[count - 1] = '\0';
>
> This I think really was meant as strlen, because if you write something
> like
>
> 10\n\0\0\0\0
>
> before it would have parsed it as 10 still, now it gets confused?
>
> I guess I'm not worried about that though.
I think the problem only happens on airtime_flags_write() that uses
kstrtou16()
> > + buf[count] = '\0';
>
> But if count == sizeof(buf) then this is an out-of-bounds write.
Right. Then, we can
if (count >= sizeof(buf))
return -EINVAL;
Ryder
