* [PATCH] ibmasm: don't write out of bounds in read handler
@ 2018-07-07 2:16 Jann Horn
2018-07-07 8:00 ` Greg Kroah-Hartman
0 siblings, 1 reply; 2+ messages in thread
From: Jann Horn @ 2018-07-07 2:16 UTC (permalink / raw)
To: Arnd Bergmann, Greg Kroah-Hartman, Max Asböck, jannh; +Cc: linux-kernel
This read handler had a lot of custom logic and wrote outside the bounds of
the provided buffer. This could lead to kernel and userspace memory
corruption. Just use simple_read_from_buffer() with a stack buffer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
---
NOTE: I put a "CC: stable" tag on this commit because it's a simple
change and I don't know whether bugs in this code matter; I don't
have any idea what the userland for this looks like.
If it's not important, feel free to remove the tag.
drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------
1 file changed, 3 insertions(+), 24 deletions(-)
diff --git a/drivers/misc/ibmasm/ibmasmfs.c b/drivers/misc/ibmasm/ibmasmfs.c
index e05c3245930a..fa840666bdd1 100644
--- a/drivers/misc/ibmasm/ibmasmfs.c
+++ b/drivers/misc/ibmasm/ibmasmfs.c
@@ -507,35 +507,14 @@ static int remote_settings_file_close(struct inode *inode, struct file *file)
static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
{
void __iomem *address = (void __iomem *)file->private_data;
- unsigned char *page;
- int retval;
int len = 0;
unsigned int value;
-
- if (*offset < 0)
- return -EINVAL;
- if (count == 0 || count > 1024)
- return 0;
- if (*offset != 0)
- return 0;
-
- page = (unsigned char *)__get_free_page(GFP_KERNEL);
- if (!page)
- return -ENOMEM;
+ char lbuf[20];
value = readl(address);
- len = sprintf(page, "%d\n", value);
-
- if (copy_to_user(buf, page, len)) {
- retval = -EFAULT;
- goto exit;
- }
- *offset += len;
- retval = len;
+ len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
-exit:
- free_page((unsigned long)page);
- return retval;
+ return simple_read_from_buffer(buf, count, offset, lbuf, len);
}
static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
--
2.18.0.203.gfac676dfb9-goog
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ibmasm: don't write out of bounds in read handler
2018-07-07 2:16 [PATCH] ibmasm: don't write out of bounds in read handler Jann Horn
@ 2018-07-07 8:00 ` Greg Kroah-Hartman
0 siblings, 0 replies; 2+ messages in thread
From: Greg Kroah-Hartman @ 2018-07-07 8:00 UTC (permalink / raw)
To: Jann Horn; +Cc: Arnd Bergmann, Max Asböck, linux-kernel
On Sat, Jul 07, 2018 at 04:16:33AM +0200, Jann Horn wrote:
> This read handler had a lot of custom logic and wrote outside the bounds of
> the provided buffer. This could lead to kernel and userspace memory
> corruption. Just use simple_read_from_buffer() with a stack buffer.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Jann Horn <jannh@google.com>
> ---
> NOTE: I put a "CC: stable" tag on this commit because it's a simple
> change and I don't know whether bugs in this code matter; I don't
> have any idea what the userland for this looks like.
> If it's not important, feel free to remove the tag.
Looks worthy of a stable tree inclusion, thanks. I've kept it and
queued the patch up now.
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-07 8:00 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-07 2:16 [PATCH] ibmasm: don't write out of bounds in read handler Jann Horn
2018-07-07 8:00 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).