From patchwork Thu Jan 18 05:11:46 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Venkateswara Naralasetty <vnaralas@codeaurora.org>
X-Patchwork-Id: 10172383
Return-Path: 
 <ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	A4A48601E7 for <patchwork-ath10k@patchwork.kernel.org>;
	Thu, 18 Jan 2018 05:12:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 823AD201F3
	for <patchwork-ath10k@patchwork.kernel.org>;
	Thu, 18 Jan 2018 05:12:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 74ED920700; Thu, 18 Jan 2018 05:12:24 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from bombadil.infradead.org (bombadil.infradead.org
	[65.50.211.133])
	(using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id CC2DB201F3
	for <patchwork-ath10k@patchwork.kernel.org>;
	Thu, 18 Jan 2018 05:12:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20170209; h=Sender:
	Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe:
	List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date:
	Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=PmBjE4HxWIKjcsVCmTg1VCZE4XaCgcGVaobLk1FjDz0=;
	b=B+o
	feYVkdhmy+O/9eD9vjUUZ1uVIztpG1u/n5FLfnBNf5ZPT6gW2q9NRXrVe3ZSJ8LvmR5R6Y4btepik
	ZgqJjlHj+NkoEuzaEFiJsg5FjVYnAt0QIdrh2wd1C2A+xFzKtN1KyZZSo91ZhI5DzHmFqH2e/seLq
	WWjJTFh2bda70euzSVGhMjMNdfQ86CRHwFuw7BU+r2U52YC5rW4HZcrzMLrZ6cSPV4uLoPRZt4i+x
	K+UyFXxR6i5uml2w0Ss0v+0LdAE63wJ+qCeFlHHQnsLTMOKHw805majkqwb+zGdRE2cdEt9wM6699
	2fS72nkvOAUU+70b66LVdLNLtMxRbzw==;
Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux))
	id 1ec2Uk-0003aV-Ei; Thu, 18 Jan 2018 05:12:10 +0000
Received: from smtp.codeaurora.org ([198.145.29.96])
	by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux))
	id 1ec2Ug-0003XP-Ni
	for ath10k@lists.infradead.org; Thu, 18 Jan 2018 05:12:08 +0000
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id 8E492608CB; Thu, 18 Jan 2018 05:11:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1516252315;
	bh=7SGj/SAtYl3fozM69B43jFTRsHXl3lUSjrp4FV/tZxA=;
	h=From:To:Cc:Subject:Date:From;
	b=okdfL0F4ZSjPNJDXx0XpK92r6NIHjri7nEhY4hzeAvir2EMrdcl80MQ/rWuYyFVyX
	yjr2xzyAgrvYEGFITF/v9ZCfMvzztnK5VnvScFI9YYC/WCypL0otEjyE/WvpDBIG4p
	uudWebJJAlGM1wKMGXlsJ37EMNOeXfklom+YOC0s=
Received: from tejas.qca.qualcomm.com
	(blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com
	[103.229.19.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: vnaralas@codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id 2E3796074C;
	Thu, 18 Jan 2018 05:11:53 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1516252315;
	bh=7SGj/SAtYl3fozM69B43jFTRsHXl3lUSjrp4FV/tZxA=;
	h=From:To:Cc:Subject:Date:From;
	b=okdfL0F4ZSjPNJDXx0XpK92r6NIHjri7nEhY4hzeAvir2EMrdcl80MQ/rWuYyFVyX
	yjr2xzyAgrvYEGFITF/v9ZCfMvzztnK5VnvScFI9YYC/WCypL0otEjyE/WvpDBIG4p
	uudWebJJAlGM1wKMGXlsJ37EMNOeXfklom+YOC0s=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 2E3796074C
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=vnaralas@codeaurora.org
From: Venkateswara Naralasetty <vnaralas@codeaurora.org>
To: ath10k@lists.infradead.org
Subject: [PATCH] ath10k: fix information leak in debugfs
Date: Thu, 18 Jan 2018 10:41:46 +0530
Message-Id: <1516252306-21256-1-git-send-email-vnaralas@codeaurora.org>
X-Mailer: git-send-email 2.7.4
X-BeenThere: ath10k@lists.infradead.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <ath10k.lists.infradead.org>
List-Unsubscribe: <http://lists.infradead.org/mailman/options/ath10k>,
	<mailto:ath10k-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/ath10k/>
List-Post: <mailto:ath10k@lists.infradead.org>
List-Help: <mailto:ath10k-request@lists.infradead.org?subject=help>
List-Subscribe: <http://lists.infradead.org/mailman/listinfo/ath10k>,
	<mailto:ath10k-request@lists.infradead.org?subject=subscribe>
Cc: Venkateswara Naralasetty <vnaralas@codeaurora.org>
MIME-Version: 1.0
Sender: "ath10k" <ath10k-bounces@lists.infradead.org>
Errors-To: 
 ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org
X-Virus-Scanned: ClamAV using ClamSMTP

During write to some of debugfs in ath10k, few variables
exposing stack data when process user input. which leads
to possible information leak.

This patch fix this issue by initializing buffer and checks
the return valure of 'simple_write_to_buffer'.

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
---
 drivers/net/wireless/ath/ath10k/debug.c       | 21 +++++++++---------
 drivers/net/wireless/ath/ath10k/debugfs_sta.c | 31 ++++++++++++++-------------
 2 files changed, 27 insertions(+), 25 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 6d836a2..e0120ff 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (c) 2005-2011 Atheros Communications Inc.
  * Copyright (c) 2011-2017 Qualcomm Atheros, Inc.
+ * Copyright (c) 2018, The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -979,13 +980,13 @@ static ssize_t ath10k_write_htt_max_amsdu_ampdu(struct file *file,
 {
 	struct ath10k *ar = file->private_data;
 	int res;
-	char buf[64];
+	char buf[64] = {0};
 	unsigned int amsdu, ampdu;
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
-	/* make sure that buf is null terminated */
-	buf[sizeof(buf) - 1] = 0;
+	res = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+				     user_buf, count);
+	if (res <= 0)
+		return res;
 
 	res = sscanf(buf, "%u %u", &amsdu, &ampdu);
 
@@ -1035,14 +1036,14 @@ static ssize_t ath10k_write_fw_dbglog(struct file *file,
 {
 	struct ath10k *ar = file->private_data;
 	int ret;
-	char buf[96];
+	char buf[96] = {0};
 	unsigned int log_level;
 	u64 mask;
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
-	/* make sure that buf is null terminated */
-	buf[sizeof(buf) - 1] = 0;
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+				     user_buf, count);
+	if (ret <= 0)
+		return ret;
 
 	ret = sscanf(buf, "%llx %u", &mask, &log_level);
 
diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
index b260b09..5583854 100644
--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c
+++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2014-2017 Qualcomm Atheros, Inc.
+ * Copyright (c) 2018, The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -136,12 +137,12 @@ static ssize_t ath10k_dbg_sta_write_addba(struct file *file,
 	struct ath10k *ar = arsta->arvif->ar;
 	u32 tid, buf_size;
 	int ret;
-	char buf[64];
+	char buf[64] = {0};
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
-	/* make sure that buf is null terminated */
-	buf[sizeof(buf) - 1] = '\0';
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+				     user_buf, count);
+	if (ret <= 0)
+		return ret;
 
 	ret = sscanf(buf, "%u %u", &tid, &buf_size);
 	if (ret != 2)
@@ -187,12 +188,12 @@ static ssize_t ath10k_dbg_sta_write_addba_resp(struct file *file,
 	struct ath10k *ar = arsta->arvif->ar;
 	u32 tid, status;
 	int ret;
-	char buf[64];
-
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+	char buf[64] = {0};
 
-	/* make sure that buf is null terminated */
-	buf[sizeof(buf) - 1] = '\0';
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+				     user_buf, count);
+	if (ret <= 0)
+		return ret;
 
 	ret = sscanf(buf, "%u %u", &tid, &status);
 	if (ret != 2)
@@ -237,12 +238,12 @@ static ssize_t ath10k_dbg_sta_write_delba(struct file *file,
 	struct ath10k *ar = arsta->arvif->ar;
 	u32 tid, initiator, reason;
 	int ret;
-	char buf[64];
-
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+	char buf[64] = {0};
 
-	/* make sure that buf is null terminated */
-	buf[sizeof(buf) - 1] = '\0';
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+				     user_buf, count);
+	if (ret <= 0)
+		return ret;
 
 	ret = sscanf(buf, "%u %u %u", &tid, &initiator, &reason);
 	if (ret != 3)