On Mon, Apr 22, 2024 at 04:51:49PM -0700, Doug Anderson wrote: > Hi, > > On Mon, Apr 22, 2024 at 9:37 AM Daniel Thompson > <daniel.thompson@xxxxxxxxxx> wrote: > > > > Currently, when the user attempts symbol completion with the Tab key, kdb > > will use strncpy() to insert the completed symbol into the command buffer. > > Unfortunately it passes the size of the source buffer rather than the > > destination to strncpy() with predictably horrible results. Most obviously > > if the command buffer is already full but cp, the cursor position, is in > > the middle of the buffer, then we will write past the end of the supplied > > buffer. > > > > Fix this by replacing the dubious strncpy() calls with memmove()/memcpy() > > calls plus explicit boundary checks to make sure we have enough space > > before we start moving characters around. > > > > Reported-by: Justin Stitt <justinstitt@xxxxxxxxxx> > > Closes: https://lore.kernel.org/all/CAFhGd8qESuuifuHsNjFPR-Va3P80bxrw+LqvC8deA8GziUJLpw@xxxxxxxxxxxxxx/ > > Cc: stable@xxxxxxxxxxxxxxx > > Signed-off-by: Daniel Thompson <daniel.thompson@xxxxxxxxxx> > > --- > > kernel/debug/kdb/kdb_io.c | 21 +++++++++++++-------- > > 1 file changed, 13 insertions(+), 8 deletions(-) > > Boy, this function (and especially the tab handling) is hard to read. Too right. I even rewrote it using offsets rather than pointers at one point (it didn't really make it much clearer so I dropped that for now). > I spent a bit of time trying to grok it and, as far as I can tell, > your patch makes things better and I don't see any bugs. > > Reviewed-by: Douglas Anderson <dianders@xxxxxxxxxxxx> Thanks! Daniel.
