Comments (10)
Could you write this patch please ?
I'm not having a good knwoledge of C, but there is effectively something to change here.
from acpi_call.
I am sorry, but I do not have the time to take care of acpi_call right now. It all started as a proof-of-concept that "went into production" too soon.
I am happy to accept any patches to acpi_call to make it safer/more efficienty/easier to use or otherwise better. Or the github way - create a fork, commit the code and issue a pull request - I will be happy to accept it.
from acpi_call.
I'm working on a patch that verifies the sizes of result_buffer and temporary_buffer. I'll trim the buffer data if the buffer is too small and add , ....
instead of , 0xXX
when the buffer is trimmed.
from acpi_call.
Nevermind, I'm going to replace the last }
character with a comma if the buffer is too small. This saves another bit of data.
from acpi_call.
My kernel-fu isn't strong enough to do this, but maybe you could just dynamically allocate a buffer of the right size? The size is known: for strings it's result->string.length, and for buffers it's result->buffer.length (where you'd need 6*n+1, since 6 chars per u8). Using snprintf and strncpy, etc would still help, though.
from acpi_call.
So far I've got https://github.com/Bumblebee-Project/acpi_call/tree/fix-buffer-overflow
I think acpi_proc_read
needs to be rewritten in case result_buffer is bigger than the size of the page char pointer. To be continued tomorrow.
from acpi_call.
I stand corrected, acpi_proc_read is fine. As long as BUFFER_SIZE is lower than the size of a page, it's OK (page size is 4096 bytes on x86 and varies between 4, 8, 16 and 64KiB on ia64.
acpi_proc_write
has one thing that confuses me: why is the input
buffer set to a size of 512 if the buffers are set to BUFFER_SIZE
(=256)? If it's just to accept the trailing newline, it should be set to BUFFER_SIZE
because the newline does not have to be added (i.e. using printf "%s" 'method here
).
temporary_buffer
is already protected against buffer overflow, but floods the kernel log if the buffer is too small. I've confirmed this in VirtualBox. For experimental purposes, I set BUFFER_SIZE
to 32 and ran the following:
# printf '\_SB.PCI0.HDEF._DSM 0 0 0 {0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0;' > /proc/acpi/call ;dmesg | tail -4
acpi_call: buffer arg4 is truncated because the buffer is full
acpi_call: buffer arg4 is truncated because the buffer is full
acpi_call: Calling \_SB.PCI0.HDEF._DSM
acpi_call: Call successful: {0x00}
I'll fix the duplicate messages in the next commit.
For future reference, the documentation of read_proc in the kernel source.
from acpi_call.
@mkottman please review and merge:
Bumblebee-Project/acpi_call@master...fix-buffer-overflow
@devkev:
could you test the patch?
from acpi_call.
Confirmed working on my laptop in 3.0.3, thanks very much.
from acpi_call.
Pull request fixing this issue at #20
from acpi_call.
Related Issues (20)
- Loading errors under kernel 4.8.10
- Patch for kernel 4.12.4 HOT 2
- Overwriting return values when read?
- Errors in 4.17.2-1 kernel, version 1.1.0-137
- GPU will not turn back on
- debian with kernel 4.19
- Ubuntu 18.04 how build? HOT 1
- Mainlining effort
- Please merge pull requests fixing compilation issues
- How to build on Debian 10 - Warning: modules_install: missing 'System.map' file. Skipping depmod
- Build errors in Ubuntu 19.10 HOT 2
- Can't install on alpine linux
- SSL error on make install
- Fix for `line 39: warning: command substitution: ignored null byte in input` in `turn_off_gpu.sh` on Manjaro 18.1.5 HOT 1
- New fork maintained by the NixOS community HOT 21
- Please Add \_SB.PCI0.RP01.PXSX Some Acer laptop Use this
- Cannot write value to EC
- kernel NULL pointer dereference on Linux kernel 5.13 HOT 3
- Add support for GA502IU HOT 1
- I am not able to get the thing working on my ryzen 5 4600H + gtx 1650 Asus TUF A15 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acpi_call.