From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752121AbcFWJUF (ORCPT ); Thu, 23 Jun 2016 05:20:05 -0400 Received: from szxga01-in.huawei.com ([58.251.152.64]:27078 "EHLO szxga01-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751955AbcFWJUA (ORCPT ); Thu, 23 Jun 2016 05:20:00 -0400 From: To: , , , , CC: , chenjie Subject: [PATCH] memory:bugxfix panic on cat or write /dev/kmem Date: Fri, 24 Jun 2016 01:30:10 +0800 Message-ID: <1466703010-32242-1-git-send-email-chenjie6@huawei.com> X-Mailer: git-send-email 1.8.0 MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.67.54.28] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.576BA9B7.000D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 29b9bb1166d1e26dcfd381695c72d7d3 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: chenjie cat /dev/kmem and echo > /dev/kmem will lead panic Signed-off-by: chenjie --- drivers/char/mem.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/char/mem.c b/drivers/char/mem.c index 71025c2..4bdde28 100644 --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -412,6 +412,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf, * by the kernel or data corruption may occur */ kbuf = xlate_dev_kmem_ptr((void *)p); + if (!kbuf) + return -EFAULT; if (copy_to_user(buf, kbuf, sz)) return -EFAULT; @@ -482,6 +484,11 @@ static ssize_t do_write_kmem(unsigned long p, const char __user *buf, * corruption may occur. */ ptr = xlate_dev_kmem_ptr((void *)p); + if (!ptr) { + if (written) + break; + return -EFAULT; + } copied = copy_from_user(ptr, buf, sz); if (copied) { -- 1.8.0