On Wed, Jul 20, 2022 at 09:28:18PM +0300, Dan Carpenter wrote:
> The call to:
>
> ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
>
> will return success if it is able to write even one byte to "buf".
> The value of "*offp" controls which byte. This could result in
> reading uninitialized data when we do the sscanf() on the next line.
>
> This code is not really desigined to handle partial writes where
> *offp is non-zero and the "buf" is preserved and re-used between writes.
> Just ban partial writes and replace the simple_write_to_buffer() with
> copy_from_user().
>
> Fixes: 578b881ba9c4 ("NTB: Add tool test client")
Looks good. Thanks.
Reviewed-by: Serge Semin <fancer.lancer@xxxxxxxxx>
-Sergey
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/ntb/test/ntb_tool.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/ntb/test/ntb_tool.c b/drivers/ntb/test/ntb_tool.c
> index b7bf3f863d79..5ee0afa621a9 100644
> --- a/drivers/ntb/test/ntb_tool.c
> +++ b/drivers/ntb/test/ntb_tool.c
> @@ -367,14 +367,16 @@ static ssize_t tool_fn_write(struct tool_ctx *tc,
> u64 bits;
> int n;
>
> + if (*offp)
> + return 0;
> +
> buf = kmalloc(size + 1, GFP_KERNEL);
> if (!buf)
> return -ENOMEM;
>
> - ret = simple_write_to_buffer(buf, size, offp, ubuf, size);
> - if (ret < 0) {
> + if (copy_from_user(buf, ubuf, size)) {
> kfree(buf);
> - return ret;
> + return -EFAULT;
> }
>
> buf[size] = 0;
> --
> 2.35.1
>
>
