| Message ID | 20190218214309.29985-1-jannh@google.com (mailing list archive) |
|---|---|
| State | Mainlined, archived |
| Commit | b9472f7d8224460499dd7128ec944735ed5345a0 |
| Headers | show |
| Series | firmware: xilinx: fix debugfs write handler | expand |
On 18. 02. 19 22:43, Jann Horn wrote: > - Userspace wants to write a string with `len` bytes, not counting the > terminating NULL, so we should allocate `len+1` bytes. It looks like the > current code relied on having a nullbyte directly behind `kern_buff`, > which happens to work reliably as long as `len` isn't one of the kmalloc > size classes. > - strncpy_from_user() is completely wrong here; userspace is giving us a > (not necessarily null-terminated) buffer and its length. > strncpy_from_user() is for cases in which we don't know the length. > - Don't let broken userspace allocate arbitrarily big kmalloc allocations. > > Just use memdup_user_nul(), which is designed precisely for things like > this. > > Signed-off-by: Jann Horn <jannh@google.com> > --- > WARNING: completely untested patch > > drivers/firmware/xilinx/zynqmp-debug.c | 15 ++++----------- > 1 file changed, 4 insertions(+), 11 deletions(-) > > diff --git a/drivers/firmware/xilinx/zynqmp-debug.c b/drivers/firmware/xilinx/zynqmp-debug.c > index 2771df6df379..90b66cdbfd58 100644 > --- a/drivers/firmware/xilinx/zynqmp-debug.c > +++ b/drivers/firmware/xilinx/zynqmp-debug.c > @@ -163,21 +163,14 @@ static ssize_t zynqmp_pm_debugfs_api_write(struct file *file, > > strcpy(debugfs_buf, ""); > > - if (*off != 0 || len == 0) > + if (*off != 0 || len <= 1 || len > PAGE_SIZE - 1) > return -EINVAL; > > - kern_buff = kzalloc(len, GFP_KERNEL); > - if (!kern_buff) > - return -ENOMEM; > - > + kern_buff = memdup_user_nul(ptr, len); > + if (IS_ERR(kern_buff)) > + return PTR_ERR(kern_buff); > tmp_buff = kern_buff; > > - ret = strncpy_from_user(kern_buff, ptr, len); > - if (ret < 0) { > - ret = -EFAULT; > - goto err; > - } > - > /* Read the API name from a user request */ > pm_api_req = strsep(&kern_buff, " "); > > Jolly: Can you please retest it and ACK? Thanks, Michal
Acked-by: Jolly Shah <jollys@xilinx.com> > -----Original Message----- > From: Jann Horn <jannh@google.com> > Sent: Monday, February 18, 2019 1:43 PM > To: Michal Simek <michals@xilinx.com>; jannh@google.com > Cc: Rajan Vaja <RAJANV@xilinx.com>; Jolly Shah <JOLLYS@xilinx.com>; linux- > arm-kernel@lists.infradead.org; linux-kernel@vger.kernel.org > Subject: [PATCH] firmware: xilinx: fix debugfs write handler > > - Userspace wants to write a string with `len` bytes, not counting the > terminating NULL, so we should allocate `len+1` bytes. It looks like the > current code relied on having a nullbyte directly behind `kern_buff`, > which happens to work reliably as long as `len` isn't one of the kmalloc > size classes. > - strncpy_from_user() is completely wrong here; userspace is giving us a > (not necessarily null-terminated) buffer and its length. > strncpy_from_user() is for cases in which we don't know the length. > - Don't let broken userspace allocate arbitrarily big kmalloc allocations. > > Just use memdup_user_nul(), which is designed precisely for things like > this. > > Signed-off-by: Jann Horn <jannh@google.com> > --- > WARNING: completely untested patch > > drivers/firmware/xilinx/zynqmp-debug.c | 15 ++++----------- > 1 file changed, 4 insertions(+), 11 deletions(-) > > diff --git a/drivers/firmware/xilinx/zynqmp-debug.c > b/drivers/firmware/xilinx/zynqmp-debug.c > index 2771df6df379..90b66cdbfd58 100644 > --- a/drivers/firmware/xilinx/zynqmp-debug.c > +++ b/drivers/firmware/xilinx/zynqmp-debug.c > @@ -163,21 +163,14 @@ static ssize_t zynqmp_pm_debugfs_api_write(struct > file *file, > > strcpy(debugfs_buf, ""); > > - if (*off != 0 || len == 0) > + if (*off != 0 || len <= 1 || len > PAGE_SIZE - 1) > return -EINVAL; > > - kern_buff = kzalloc(len, GFP_KERNEL); > - if (!kern_buff) > - return -ENOMEM; > - > + kern_buff = memdup_user_nul(ptr, len); > + if (IS_ERR(kern_buff)) > + return PTR_ERR(kern_buff); > tmp_buff = kern_buff; > > - ret = strncpy_from_user(kern_buff, ptr, len); > - if (ret < 0) { > - ret = -EFAULT; > - goto err; > - } > - > /* Read the API name from a user request */ > pm_api_req = strsep(&kern_buff, " "); > > -- > 2.21.0.rc0.258.g878e2cd30e-goog
On 18. 02. 19 22:43, Jann Horn wrote: > - Userspace wants to write a string with `len` bytes, not counting the > terminating NULL, so we should allocate `len+1` bytes. It looks like the > current code relied on having a nullbyte directly behind `kern_buff`, > which happens to work reliably as long as `len` isn't one of the kmalloc > size classes. > - strncpy_from_user() is completely wrong here; userspace is giving us a > (not necessarily null-terminated) buffer and its length. > strncpy_from_user() is for cases in which we don't know the length. > - Don't let broken userspace allocate arbitrarily big kmalloc allocations. > > Just use memdup_user_nul(), which is designed precisely for things like > this. > > Signed-off-by: Jann Horn <jannh@google.com> > --- > WARNING: completely untested patch > > drivers/firmware/xilinx/zynqmp-debug.c | 15 ++++----------- > 1 file changed, 4 insertions(+), 11 deletions(-) > > diff --git a/drivers/firmware/xilinx/zynqmp-debug.c b/drivers/firmware/xilinx/zynqmp-debug.c > index 2771df6df379..90b66cdbfd58 100644 > --- a/drivers/firmware/xilinx/zynqmp-debug.c > +++ b/drivers/firmware/xilinx/zynqmp-debug.c > @@ -163,21 +163,14 @@ static ssize_t zynqmp_pm_debugfs_api_write(struct file *file, > > strcpy(debugfs_buf, ""); > > - if (*off != 0 || len == 0) > + if (*off != 0 || len <= 1 || len > PAGE_SIZE - 1) > return -EINVAL; > > - kern_buff = kzalloc(len, GFP_KERNEL); > - if (!kern_buff) > - return -ENOMEM; > - > + kern_buff = memdup_user_nul(ptr, len); > + if (IS_ERR(kern_buff)) > + return PTR_ERR(kern_buff); > tmp_buff = kern_buff; > > - ret = strncpy_from_user(kern_buff, ptr, len); > - if (ret < 0) { > - ret = -EFAULT; > - goto err; > - } > - > /* Read the API name from a user request */ > pm_api_req = strsep(&kern_buff, " "); > > applied with Jolly's ack. Thanks, Michal
diff --git a/drivers/firmware/xilinx/zynqmp-debug.c b/drivers/firmware/xilinx/zynqmp-debug.c index 2771df6df379..90b66cdbfd58 100644 --- a/drivers/firmware/xilinx/zynqmp-debug.c +++ b/drivers/firmware/xilinx/zynqmp-debug.c @@ -163,21 +163,14 @@ static ssize_t zynqmp_pm_debugfs_api_write(struct file *file, strcpy(debugfs_buf, ""); - if (*off != 0 || len == 0) + if (*off != 0 || len <= 1 || len > PAGE_SIZE - 1) return -EINVAL; - kern_buff = kzalloc(len, GFP_KERNEL); - if (!kern_buff) - return -ENOMEM; - + kern_buff = memdup_user_nul(ptr, len); + if (IS_ERR(kern_buff)) + return PTR_ERR(kern_buff); tmp_buff = kern_buff; - ret = strncpy_from_user(kern_buff, ptr, len); - if (ret < 0) { - ret = -EFAULT; - goto err; - } - /* Read the API name from a user request */ pm_api_req = strsep(&kern_buff, " ");
- Userspace wants to write a string with `len` bytes, not counting the terminating NULL, so we should allocate `len+1` bytes. It looks like the current code relied on having a nullbyte directly behind `kern_buff`, which happens to work reliably as long as `len` isn't one of the kmalloc size classes. - strncpy_from_user() is completely wrong here; userspace is giving us a (not necessarily null-terminated) buffer and its length. strncpy_from_user() is for cases in which we don't know the length. - Don't let broken userspace allocate arbitrarily big kmalloc allocations. Just use memdup_user_nul(), which is designed precisely for things like this. Signed-off-by: Jann Horn <jannh@google.com> --- WARNING: completely untested patch drivers/firmware/xilinx/zynqmp-debug.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-)