BCC: [email protected]
CC: [email protected]
In-Reply-To: <[email protected]>
References: <[email protected]>
TO: Hangyu Hua <[email protected]>
TO: [email protected]
TO: [email protected]
TO: [email protected]
TO: [email protected]
CC: [email protected]
CC: Hangyu Hua <[email protected]>

Hi Hangyu,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on tty/tty-testing]
[also build test WARNING on linus/master v6.0-rc4 next-20220908]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    
https://github.com/intel-lab-lkp/linux/commits/Hangyu-Hua/tty-vt-add-a-bounds-checking-in-vt_do_kdgkb_ioctl/20220908-155511
base:   https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git 
tty-testing
:::::: branch date: 11 hours ago
:::::: commit date: 11 hours ago
config: microblaze-randconfig-m031-20220907 
(https://download.01.org/0day-ci/archive/20220909/[email protected]/config)
compiler: microblaze-linux-gcc (GCC) 12.1.0

If you fix the issue, kindly add following tag where applicable
Reported-by: kernel test robot <[email protected]>
Reported-by: Dan Carpenter <[email protected]>

New smatch warnings:
drivers/tty/vt/keyboard.c:2070 vt_do_kdgkb_ioctl() warn: impossible condition 
'(kb_func >= 256) => (0-255 >= 256)'

Old smatch warnings:
drivers/tty/vt/keyboard.c:2088 vt_do_kdgkb_ioctl() warn: possible info leak 
'kbs'
drivers/tty/vt/keyboard.c:2110 vt_do_kdgkb_ioctl() error: uninitialized symbol 
'kbs'.
drivers/tty/vt/keyboard.c:2112 vt_do_kdgkb_ioctl() error: uninitialized symbol 
'ret'.

vim +2070 drivers/tty/vt/keyboard.c

4e1404a5cd0436 Jiri Slaby         2020-10-29  2059  
079c9534a96da9 Alan Cox           2012-02-28  2060  int vt_do_kdgkb_ioctl(int 
cmd, struct kbsentry __user *user_kdgkb, int perm)
079c9534a96da9 Alan Cox           2012-02-28  2061  {
4e1404a5cd0436 Jiri Slaby         2020-10-29  2062      unsigned char kb_func;
4e1404a5cd0436 Jiri Slaby         2020-10-29  2063      unsigned long flags;
07edff9265204e Jiri Slaby         2020-10-29  2064      char *kbs;
079c9534a96da9 Alan Cox           2012-02-28  2065      int ret;
079c9534a96da9 Alan Cox           2012-02-28  2066  
07edff9265204e Jiri Slaby         2020-10-29  2067      if (get_user(kb_func, 
&user_kdgkb->kb_func))
07edff9265204e Jiri Slaby         2020-10-29  2068              return -EFAULT;
079c9534a96da9 Alan Cox           2012-02-28  2069  
9878c90ddacf7a Hangyu Hua         2022-09-08 @2070      if (kb_func >= 
MAX_NR_FUNC)
9878c90ddacf7a Hangyu Hua         2022-09-08  2071              return -EFAULT;
9878c90ddacf7a Hangyu Hua         2022-09-08  2072  
07edff9265204e Jiri Slaby         2020-10-29  2073      kb_func = 
array_index_nospec(kb_func, MAX_NR_FUNC);
079c9534a96da9 Alan Cox           2012-02-28  2074  
079c9534a96da9 Alan Cox           2012-02-28  2075      switch (cmd) {
6ca03f90527e49 Jiri Slaby         2020-10-19  2076      case KDGKBSENT: {
6ca03f90527e49 Jiri Slaby         2020-10-19  2077              /* size should 
have been a struct member */
82e61c3909db51 Jiri Slaby         2020-10-19  2078              ssize_t len = 
sizeof(user_kdgkb->kb_string);
82e61c3909db51 Jiri Slaby         2020-10-19  2079  
07edff9265204e Jiri Slaby         2020-10-29  2080              kbs = 
kmalloc(len, GFP_KERNEL);
07edff9265204e Jiri Slaby         2020-10-29  2081              if (!kbs)
07edff9265204e Jiri Slaby         2020-10-29  2082                      return 
-ENOMEM;
07edff9265204e Jiri Slaby         2020-10-29  2083  
82e61c3909db51 Jiri Slaby         2020-10-19  2084              
spin_lock_irqsave(&func_buf_lock, flags);
07edff9265204e Jiri Slaby         2020-10-29  2085              len = 
strlcpy(kbs, func_table[kb_func] ? : "", len);
82e61c3909db51 Jiri Slaby         2020-10-19  2086              
spin_unlock_irqrestore(&func_buf_lock, flags);
6ca03f90527e49 Jiri Slaby         2020-10-19  2087  
07edff9265204e Jiri Slaby         2020-10-29  2088              ret = 
copy_to_user(user_kdgkb->kb_string, kbs, len + 1) ?
07edff9265204e Jiri Slaby         2020-10-29  2089                      -EFAULT 
: 0;
6ca03f90527e49 Jiri Slaby         2020-10-19  2090  
4e1404a5cd0436 Jiri Slaby         2020-10-29  2091              break;
079c9534a96da9 Alan Cox           2012-02-28  2092      }
079c9534a96da9 Alan Cox           2012-02-28  2093      case KDSKBSENT:
cb58a5046095c0 Jiri Slaby         2020-10-29  2094              if (!perm || 
!capable(CAP_SYS_TTY_CONFIG))
07edff9265204e Jiri Slaby         2020-10-29  2095                      return 
-EPERM;
07edff9265204e Jiri Slaby         2020-10-29  2096  
07edff9265204e Jiri Slaby         2020-10-29  2097              kbs = 
strndup_user(user_kdgkb->kb_string,
07edff9265204e Jiri Slaby         2020-10-29  2098                              
sizeof(user_kdgkb->kb_string));
07edff9265204e Jiri Slaby         2020-10-29  2099              if (IS_ERR(kbs))
07edff9265204e Jiri Slaby         2020-10-29  2100                      return 
PTR_ERR(kbs);
079c9534a96da9 Alan Cox           2012-02-28  2101  
46ca3f735f345c Sergei Trofimovich 2019-03-10  2102              
spin_lock_irqsave(&func_buf_lock, flags);
4e1404a5cd0436 Jiri Slaby         2020-10-29  2103              kbs = 
vt_kdskbsent(kbs, kb_func);
46ca3f735f345c Sergei Trofimovich 2019-03-10  2104              
spin_unlock_irqrestore(&func_buf_lock, flags);
4e1404a5cd0436 Jiri Slaby         2020-10-29  2105  
4e1404a5cd0436 Jiri Slaby         2020-10-29  2106              ret = 0;
079c9534a96da9 Alan Cox           2012-02-28  2107              break;
079c9534a96da9 Alan Cox           2012-02-28  2108      }
4e1404a5cd0436 Jiri Slaby         2020-10-29  2109  
079c9534a96da9 Alan Cox           2012-02-28  2110      kfree(kbs);
4e1404a5cd0436 Jiri Slaby         2020-10-29  2111  
079c9534a96da9 Alan Cox           2012-02-28  2112      return ret;
079c9534a96da9 Alan Cox           2012-02-28  2113  }
079c9534a96da9 Alan Cox           2012-02-28  2114  

-- 
0-DAY CI Kernel Test Service
https://01.org/lkp
_______________________________________________
kbuild mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to