Message ID | YIBCf+G9Ef8wrGJw@mwanda (mailing list archive) |
---|---|
State | Accepted, archived |
Headers | show |
Series | [v2] platform/x86: intel_pmc_core: Uninitialized data in pmc_core_lpm_latch_mode_write() | expand |
Hi, On 4/21/21 5:19 PM, Dan Carpenter wrote: > The simple_write_to_buffer() can return success if even a single byte > is copied from user space. In this case it can result in using > uninitalized data if the buf[] array is not fully initialized. Really > we should only succeed if the whole buffer is copied. > > Just using copy_from_user() is simpler and more appropriate. > > Fixes: 8074a79fad2e ("platform/x86: intel_pmc_core: Add option to set/clear LPM mode") > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> > --- > v2: The first version of this patch returned -EINVAL if userspace didn't > give us NUL terminated strings. That's not necessarily a good > assumption. > > This patch is just simpler as well. No need to introduce the "len" > variable because "count" is capped at the start of the function. Much better, thank you. Thank you for your patch, I've applied this patch to my review-hans branch: https://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86.git/log/?h=review-hans Note it will show up in my review-hans branch once I've pushed my local branch there, which might take a while. Once I've run some tests on this branch the patches there will be added to the platform-drivers-x86/for-next branch and eventually will be included in the pdx86 pull-request to Linus for the next merge-window. Regards, Hans > drivers/platform/x86/intel_pmc_core.c | 8 ++------ > 1 file changed, 2 insertions(+), 6 deletions(-) > > diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c > index d174aeb492e0..b0e486a6bdfb 100644 > --- a/drivers/platform/x86/intel_pmc_core.c > +++ b/drivers/platform/x86/intel_pmc_core.c > @@ -1360,17 +1360,13 @@ static ssize_t pmc_core_lpm_latch_mode_write(struct file *file, > struct pmc_dev *pmcdev = s->private; > bool clear = false, c10 = false; > unsigned char buf[8]; > - ssize_t ret; > int idx, m, mode; > u32 reg; > > if (count > sizeof(buf) - 1) > return -EINVAL; > - > - ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); > - if (ret < 0) > - return ret; > - > + if (copy_from_user(buf, userbuf, count)) > + return -EFAULT; > buf[count] = '\0'; > > /* >
diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c index d174aeb492e0..b0e486a6bdfb 100644 --- a/drivers/platform/x86/intel_pmc_core.c +++ b/drivers/platform/x86/intel_pmc_core.c @@ -1360,17 +1360,13 @@ static ssize_t pmc_core_lpm_latch_mode_write(struct file *file, struct pmc_dev *pmcdev = s->private; bool clear = false, c10 = false; unsigned char buf[8]; - ssize_t ret; int idx, m, mode; u32 reg; if (count > sizeof(buf) - 1) return -EINVAL; - - ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); - if (ret < 0) - return ret; - + if (copy_from_user(buf, userbuf, count)) + return -EFAULT; buf[count] = '\0'; /*
The simple_write_to_buffer() can return success if even a single byte is copied from user space. In this case it can result in using uninitalized data if the buf[] array is not fully initialized. Really we should only succeed if the whole buffer is copied. Just using copy_from_user() is simpler and more appropriate. Fixes: 8074a79fad2e ("platform/x86: intel_pmc_core: Add option to set/clear LPM mode") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> --- v2: The first version of this patch returned -EINVAL if userspace didn't give us NUL terminated strings. That's not necessarily a good assumption. This patch is just simpler as well. No need to introduce the "len" variable because "count" is capped at the start of the function. drivers/platform/x86/intel_pmc_core.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-)