On Wed, Nov 20, 2019 at 1:51 PM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > Thanks for the patch. Looks good. > > Reviewed-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Appreciate the review! -Marcelo > > On Wed, Nov 20, 2019 at 10:36:48AM -0500, Marcelo Diop-Gonzalez wrote: > > copy_bytes = min_t(int, len, context->space - context->actual); > > if (copy_bytes == 0) > > - return; > > + return 0; > > if (copy_to_user(context->buf + context->actual, str, > > copy_bytes)) > > - context->actual = -EFAULT; > ^^^^^^^^^^^^^^^^^^^^^^^^^ > > > + return -EFAULT; > > context->actual += copy_bytes; > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > In the original code we saved the error code to context->actual, then > we added some bytes > > > len -= copy_bytes; > > > > @@ -2109,8 +2108,9 @@ vchiq_dump(void *dump_context, const char *str, int len) > > > > if (copy_to_user(context->buf + context->actual - 1, > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > and then we tried to use the result to corrupt the user space program. > So this patch is a nice bug fix. > > > &cr, 1)) > > - context->actual = -EFAULT; > > + return -EFAULT; > > } > > + return 0; > > } > > regards, > dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
