From patchwork Wed Jun 5 03:37:05 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Solomon Peachy X-Patchwork-Id: 2664481 Return-Path: X-Original-To: patchwork-linux-wireless@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 875B43FC8C for ; Wed, 5 Jun 2013 03:37:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751147Ab3FEDhL (ORCPT ); Tue, 4 Jun 2013 23:37:11 -0400 Received: from 162-17-110-37-static.hfc.comcastbusiness.net ([162.17.110.37]:41463 "EHLO stuffed.shaftnet.org" rhost-flags-OK-FAIL-OK-OK) by vger.kernel.org with ESMTP id S1751046Ab3FEDhL (ORCPT ); Tue, 4 Jun 2013 23:37:11 -0400 Received: from stuffed.shaftnet.org (localhost [127.0.0.1]) by stuffed.shaftnet.org (8.14.5/8.14.5) with ESMTP id r553b7ZF022359 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 4 Jun 2013 23:37:07 -0400 Received: (from pizza@localhost) by stuffed.shaftnet.org (8.14.5/8.14.5/Submit) id r553b7kf022358; Tue, 4 Jun 2013 23:37:07 -0400 From: Solomon Peachy To: linux-wireless@vger.kernel.org Cc: Solomon Peachy Subject: [PATCH -next] cw1200: Sanity-check arguments in copy_from_user() Date: Tue, 4 Jun 2013 23:37:05 -0400 Message-Id: <1370403425-22131-1-git-send-email-pizza@shaftnet.org> X-Mailer: git-send-email 1.7.11.7 X-Virus-Scanned: clamav-milter 0.97.7 at stuffed.shaftnet.org X-Virus-Status: Clean X-Spam-Status: No, score=-1.0 required=4.0 tests=ALL_TRUSTED autolearn=unavailable version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on stuffed.shaftnet.org Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The optional debugfs interface to the vendor's engineering tools wasn't bounds checking at all, which made it trivial to perform a buffer overflow if this interface was compiled in and then explicitly enabled at runtime. This patch checks both the length supplied as part of the data to ensure it is sane, and also the amount of data compared to the remaining buffer space. If either is too large, fail immediately. (This bug was spotted by Dan Carpenter ) Signed-off-by: Solomon Peachy --- drivers/net/wireless/cw1200/debug.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/cw1200/debug.c b/drivers/net/wireless/cw1200/debug.c index b815181..1aeef5e 100644 --- a/drivers/net/wireless/cw1200/debug.c +++ b/drivers/net/wireless/cw1200/debug.c @@ -403,13 +403,13 @@ struct etf_req_msg; static int etf_request(struct cw1200_common *priv, struct etf_req_msg *msg, u32 len); -#define MAX_RX_SZE 2600 +#define MAX_RX_SIZE 2600 struct etf_in_state { struct cw1200_common *priv; - u32 total_len; - u8 buf[MAX_RX_SZE]; - u32 written; + u16 total_len; + u16 written; + u8 buf[MAX_RX_SIZE]; }; static int cw1200_etf_in_open(struct inode *inode, struct file *file) @@ -454,6 +454,11 @@ static ssize_t cw1200_etf_in_write(struct file *file, return -EFAULT; } + if (etf->total_len > MAX_RX_SIZE) { + pr_err("requested length > MAX_RX_SIZE\n"); + return -EINVAL; + } + written += sizeof(etf->total_len); count -= sizeof(etf->total_len); } @@ -461,6 +466,11 @@ static ssize_t cw1200_etf_in_write(struct file *file, if (!count) goto done; + if (count > (etf->total_len - written)) { + pr_err("Tried to write > MAX_RX_SIZE\n"); + return -EINVAL; + } + if (copy_from_user(etf->buf + etf->written, user_buf + written, count)) { pr_err("copy_from_user (payload %zu) failed\n", count);