From patchwork Mon Feb 19 12:51:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Venkateswara Naralasetty X-Patchwork-Id: 10227861 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0AC3160392 for ; Mon, 19 Feb 2018 13:41:56 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id ED2AD288E0 for ; Mon, 19 Feb 2018 13:41:55 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E1EAC28911; Mon, 19 Feb 2018 13:41:55 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID autolearn=unavailable version=3.3.1 Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 87673288E0 for ; Mon, 19 Feb 2018 13:41:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=uIUArogue44OIT85drJntvuTqAnIfqAfpd8LQmlFYww=; b=VeF M+pGqV9ZwQEY40TCxT3auLb0IYf3Efm0FodDWqjbJ6+/MBQirO/HOeOvLSPSUby1z6Bo0HFAAsblr tG2OWfIqkL39MyexK2GslSXGMzV45/vkM3foCWyIYc901j/RuVX4JKaqgeopMCKAUhrnole8fHFwl ksTwkKhpFm7iJ4Qy1aHz3sCu8yjtdh5GQSlUel7rYjY7sFlvIMHRpiEE3QmZQlS5LpkryVVYWZdQE 9h3rrs367lV4kZHw/Nc5pxqyWdRTLfULgUzMF45WsDZKD0BPhtSYpXlEcK+gvBObwBWxI/Jtyv4bR rYGQqsUHnrBJr3VHeIG8wyeoZy0eUQA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.89 #1 (Red Hat Linux)) id 1enlhP-0005se-PJ; Mon, 19 Feb 2018 13:41:43 +0000 Received: from merlin.infradead.org ([2001:8b0:10b:1231::1]) by bombadil.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1enlhI-0005oH-Sd for ath10k@bombadil.infradead.org; Mon, 19 Feb 2018 13:41:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=merlin.20170209; h=Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=eW+K648SeH+BI0QkrYK3bliy109Tq7osdnoYoDW5kAo=; b=0xTL66xcdZw8go5k9aIo6mjVa PgDAdqZcJXpe/mioK+RR8OcdWY9l6fjgCJeHDrIcVGd0erE6i4LeY9syGDT9/3alQ/pzxteUhOW33 s8wRLiTj75ZotipnkKsRH/XmKNaJFkzxMiSm+YfaYvjjGez3+RR9LelhZFmv/FalDmuVCdcP9XxOY INr3fHyZX4MozsaStxI5+6rdAg7zjkO3XDC/hI5n7dbOv/6D0/RRIepEOJlbDWq8xspvTJxgGybia bAVQXmpvJxNjOsZS3gV8EJ97vu4kcF4XOcGWSZxxDdkAfoLpm5rjHEEv8ZyMojm5MeGNwoqa0IxuA +SYhymL/w==; Received: from smtp.codeaurora.org ([198.145.29.96]) by merlin.infradead.org with esmtps (Exim 4.89 #1 (Red Hat Linux)) id 1enkuy-0001H4-Q0 for ath10k@lists.infradead.org; Mon, 19 Feb 2018 12:51:41 +0000 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 85C9460A66; Mon, 19 Feb 2018 12:51:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1519044688; bh=410g0d7HbgKA65FYkdzwnUVBf/ovbjHRKjshzUcUPfk=; h=From:To:Cc:Subject:Date:From; b=Gk+Itg9gNAJnIBmN6rQF167T1P2dUNoS4Y1C75WyJufj98s/HjOOxi4uhglasV6fE VGP+syb08h7EMcNkGHt8uZctI82ZII78UzKglgagYgNituxRaJq0bNlLRfqM2mFqoQ AXy32/vHPa6e4yQ6Wu0lSjA0plqa0aJMPSNB2GYg= Received: from tejas.qca.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: vnaralas@codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 6B9E1602BC; Mon, 19 Feb 2018 12:51:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1519044687; bh=410g0d7HbgKA65FYkdzwnUVBf/ovbjHRKjshzUcUPfk=; h=From:To:Cc:Subject:Date:From; b=FaxQQIRo8ikQoDYAfYt0vYlkGA/HzERMovRb4fW9YNXZqQRecDlGF4RobpBs8fNU6 22BUeIgCuwVL1WaBHhQ8I4QX0jG7r2GCCL3tXi7bR/zprLeasboowPdEg8TAX0/W4E kfnzzk2NiAjJl+mkizJ0dlswwQJgVTpjrfhFtktc= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 6B9E1602BC Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=vnaralas@codeaurora.org From: Venkateswara Naralasetty To: ath10k@lists.infradead.org Subject: [PATCH] ath10k: fix information leak in debugfs Date: Mon, 19 Feb 2018 18:21:21 +0530 Message-Id: <1519044681-5663-1-git-send-email-vnaralas@codeaurora.org> X-Mailer: git-send-email 2.7.4 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20180219_075140_987629_125F0BEE X-CRM114-Status: GOOD ( 12.01 ) X-BeenThere: ath10k@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Venkateswara Naralasetty , linux-wireless@vger.kernel.org MIME-Version: 1.0 Sender: "ath10k" Errors-To: ath10k-bounces+patchwork-ath10k=patchwork.kernel.org@lists.infradead.org X-Virus-Scanned: ClamAV using ClamSMTP During write to some of debugfs in ath10k, few variables exposing stack data when process user input. which leads to possible information leak. This patch fix this issue by initializing buffer and checks the return valure of 'simple_write_to_buffer'. Signed-off-by: Venkateswara Naralasetty --- drivers/net/wireless/ath/ath10k/debug.c | 20 ++++++++--------- drivers/net/wireless/ath/ath10k/debugfs_sta.c | 31 ++++++++++++++------------- 2 files changed, 26 insertions(+), 25 deletions(-) diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c index 554cd78..21c348b 100644 --- a/drivers/net/wireless/ath/ath10k/debug.c +++ b/drivers/net/wireless/ath/ath10k/debug.c @@ -987,13 +987,13 @@ static ssize_t ath10k_write_htt_max_amsdu_ampdu(struct file *file, { struct ath10k *ar = file->private_data; int res; - char buf[64]; + char buf[64] = {0}; unsigned int amsdu, ampdu; - simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); - - /* make sure that buf is null terminated */ - buf[sizeof(buf) - 1] = 0; + res = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, + user_buf, count); + if (res <= 0) + return res; res = sscanf(buf, "%u %u", &amsdu, &du); @@ -1043,14 +1043,14 @@ static ssize_t ath10k_write_fw_dbglog(struct file *file, { struct ath10k *ar = file->private_data; int ret; - char buf[96]; + char buf[96] = {0}; unsigned int log_level; u64 mask; - simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); - - /* make sure that buf is null terminated */ - buf[sizeof(buf) - 1] = 0; + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, + user_buf, count); + if (ret <= 0) + return ret; ret = sscanf(buf, "%llx %u", &mask, &log_level); diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c index b260b09..5583854 100644 --- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c +++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c @@ -1,5 +1,6 @@ /* * Copyright (c) 2014-2017 Qualcomm Atheros, Inc. + * Copyright (c) 2018, The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -136,12 +137,12 @@ static ssize_t ath10k_dbg_sta_write_addba(struct file *file, struct ath10k *ar = arsta->arvif->ar; u32 tid, buf_size; int ret; - char buf[64]; + char buf[64] = {0}; - simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); - - /* make sure that buf is null terminated */ - buf[sizeof(buf) - 1] = '\0'; + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, + user_buf, count); + if (ret <= 0) + return ret; ret = sscanf(buf, "%u %u", &tid, &buf_size); if (ret != 2) @@ -187,12 +188,12 @@ static ssize_t ath10k_dbg_sta_write_addba_resp(struct file *file, struct ath10k *ar = arsta->arvif->ar; u32 tid, status; int ret; - char buf[64]; - - simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); + char buf[64] = {0}; - /* make sure that buf is null terminated */ - buf[sizeof(buf) - 1] = '\0'; + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, + user_buf, count); + if (ret <= 0) + return ret; ret = sscanf(buf, "%u %u", &tid, &status); if (ret != 2) @@ -237,12 +238,12 @@ static ssize_t ath10k_dbg_sta_write_delba(struct file *file, struct ath10k *ar = arsta->arvif->ar; u32 tid, initiator, reason; int ret; - char buf[64]; - - simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); + char buf[64] = {0}; - /* make sure that buf is null terminated */ - buf[sizeof(buf) - 1] = '\0'; + ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, + user_buf, count); + if (ret <= 0) + return ret; ret = sscanf(buf, "%u %u %u", &tid, &initiator, &reason); if (ret != 3)