On Tue, 2023-05-30 at 13:45 -0400, Stefan Berger wrote: > > On 5/29/23 22:01, Jarkko Sakkinen wrote: > > From: Jarkko Sakkinen <jarkko.sakkinen@xxxxxxx> > > > > > - rc = copy_to_user(buf, proxy_dev->buffer, len); > > + if (buf) > > + rc = copy_to_user(buf, proxy_dev->buffer, len); > > + > > Looking through other drivers it seems buf is always expected to be a valid non-NULL pointer on file_operations.read(). > > > https://elixir.bootlin.com/linux/latest/source/arch/x86/mm/tlb.c#L1279 simple_read_from_buffer will pass the pointer to the user buffer along and it ('to') ends up in copy_to_user(to, ...); > > > Same here: https://elixir.bootlin.com/linux/latest/source/security/integrity/ima/ima_fs.c#L41 It is good to mention here that IMA uses __user tagged pointers correctly, and it does not really compare to the vtpm driver code by any possible means. So let's not add illegit comparison points. BR, Jarkko
