| Message ID | 20230119142115.38260-1-W_Armin@gmx.de |
|---|---|
| Headers | show |
| Series | ACPI: battery: Fix various string handling issues | expand |
Am 19.01.23 um 15:21 schrieb Armin Wolf: > On my Dell Inspiron 3505, the battery model name was displayed > differently than when running Windows. While i first suspected an > ACPI issue, it turned out that the real reason was the ACPI battery > driver failing to handle strings larger than 32 bytes. > > This caused the model name of the battery (35 bytes long, hex string) > to miss proper NUL-termination, resulting in a buffer overread later. > Luckily, a valid string was stored right after the now invalid string, > appending only the battery serial number to the original model name. > > The first patch fixes a potential buffer overread then handling buffers, > while the second patch finally increases the maximum string length to > avoid truncating such larger strings. > > The patch series was tested on a Dell Inspiron 3505 and appears > to work properly. Are there any outstanding issues with the patch series which need to be fixed for mainline inclusion? Armin Wolf > --- > Changes in v2: > - Drop first patch since it was already applied > - combine the second and third patch > - do not replace 0 with '\0' > - spell ACPI in capitals > - rework the buffer length hdanling > > Armin Wolf (2): > ACPI: battery: Fix buffer overread if not NUL-terminated > ACPI: battery: Increase maximum string length > > drivers/acpi/battery.c | 35 +++++++++++++++++++++++------------ > 1 file changed, 23 insertions(+), 12 deletions(-) > > -- > 2.30.2 > >
On Mon, Jan 30, 2023 at 10:14 AM Armin Wolf <W_Armin@gmx.de> wrote: > > Am 19.01.23 um 15:21 schrieb Armin Wolf: > > > On my Dell Inspiron 3505, the battery model name was displayed > > differently than when running Windows. While i first suspected an > > ACPI issue, it turned out that the real reason was the ACPI battery > > driver failing to handle strings larger than 32 bytes. > > > > This caused the model name of the battery (35 bytes long, hex string) > > to miss proper NUL-termination, resulting in a buffer overread later. > > Luckily, a valid string was stored right after the now invalid string, > > appending only the battery serial number to the original model name. > > > > The first patch fixes a potential buffer overread then handling buffers, > > while the second patch finally increases the maximum string length to > > avoid truncating such larger strings. > > > > The patch series was tested on a Dell Inspiron 3505 and appears > > to work properly. > > Are there any outstanding issues with the patch series which need > to be fixed for mainline inclusion? I'll have a look shortly and let you know. Thanks! > > --- > > Changes in v2: > > - Drop first patch since it was already applied > > - combine the second and third patch > > - do not replace 0 with '\0' > > - spell ACPI in capitals > > - rework the buffer length hdanling > > > > Armin Wolf (2): > > ACPI: battery: Fix buffer overread if not NUL-terminated > > ACPI: battery: Increase maximum string length > > > > drivers/acpi/battery.c | 35 +++++++++++++++++++++++------------ > > 1 file changed, 23 insertions(+), 12 deletions(-) > > > > --
On Mon, Jan 30, 2023 at 1:29 PM Rafael J. Wysocki <rafael@kernel.org> wrote: > > On Mon, Jan 30, 2023 at 10:14 AM Armin Wolf <W_Armin@gmx.de> wrote: > > > > Am 19.01.23 um 15:21 schrieb Armin Wolf: > > > > > On my Dell Inspiron 3505, the battery model name was displayed > > > differently than when running Windows. While i first suspected an > > > ACPI issue, it turned out that the real reason was the ACPI battery > > > driver failing to handle strings larger than 32 bytes. > > > > > > This caused the model name of the battery (35 bytes long, hex string) > > > to miss proper NUL-termination, resulting in a buffer overread later. > > > Luckily, a valid string was stored right after the now invalid string, > > > appending only the battery serial number to the original model name. > > > > > > The first patch fixes a potential buffer overread then handling buffers, > > > while the second patch finally increases the maximum string length to > > > avoid truncating such larger strings. > > > > > > The patch series was tested on a Dell Inspiron 3505 and appears > > > to work properly. > > > > Are there any outstanding issues with the patch series which need > > to be fixed for mainline inclusion? > > I'll have a look shortly and let you know. I've queued up the patches for 6.3, thanks!