Re: [PATCH 4/8] staging: unisys: move chipsetready to sysfs

Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 19 Jul 2014 12:58:04 -0700



On Sat, Jul 19, 2014 at 10:26:57AM -0400, Benjamin Romer wrote:
> +ssize_t store_chipsetready(struct device *dev, struct device_attribute *attr,
> +		const char *buf, size_t count)
>  {
> -	char buf[512];
> -	char *token, *p;
> -
> -	if (count > sizeof(buf) - 1) {
> -		LOGERR("chipset_proc_write: count (%d) exceeds size of buffer (%d)",
> -		     (int) count, (int) sizeof(buffer));
> -		return -EINVAL;
> -	}
> -	if (copy_from_user(buf, buffer, count)) {
> -		LOGERR("chipset_proc_write: copy_from_user failed");
> -		return -EFAULT;
> -	}
> -	buf[count] = '\0';
> -
> -	p = buf;
> -	token = gettoken(&p);
> -
> -	if (strcmp(token, "CALLHOMEDISK_MOUNTED") == 0) {
> -		token = gettoken(&p);
> -		/* The Call Home Disk has been mounted */
> -		if (strcmp(token, "0") == 0)
> -			chipset_events[0] = 1;
> -	} else if (strcmp(token, "MODULES_LOADED") == 0) {
> -		token = gettoken(&p);
> -		/* All modules for the partition have been loaded */
> -		if (strcmp(token, "0") == 0)
> -			chipset_events[1] = 1;
> -	} else if (token == NULL) {
> -		/* No event specified */
> -		LOGERR("No event was specified to send CHIPSET_READY response");
> -		return -1;
> +	char msgtype[64];
> +	int msgparam;
> +
> +	if (sscanf(buf, "%63s %d", msgtype, &msgparam) == 2) {
> +		if (strcmp(msgtype, "CALLHOMEDISK_MOUNTED") == 0) {
> +			/* The Call Home Disk has been mounted */
> +			if (msgparam == 0)
> +				chipset_events[0] = 1;
> +		} else if (strcmp(msgtype, "MODULES_LOADED") == 0) {
> +			/* All modules for the partition have been loaded */
> +			if (msgparam == 0)
> +				chipset_events[1] = 1;
> +		} else {
> +			/* Unsupported event specified */
> +			LOGERR("%s is an invalid event for sending CHIPSET_READY response",
> +				msgtype);
> +			return -1;
> +		}
>  	} else {
> -		/* Unsupported event specified */
> -		LOGERR("%s is an invalid event for sending CHIPSET_READY response",		     token);
> +		LOGERR("malformed input to chipsetready attribute");
>  		return -1;

How nice, a simple way to create a DoS in the kernel log by just writing
odd data to a sysfs file :(

Also, don't make up error numbers that you are returning to userspace,
-1 is not a valid one for what you mean here.  Or I really don't know
what you mean...

thanks,

greg k-h
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel