Hello:
This patch was applied to bluetooth/bluetooth-next.git (master)
by Luiz Augusto von Dentz <luiz.von.dentz@xxxxxxxxx>:
On Thu, 6 Apr 2023 11:55:17 +0300 you wrote:
> There are a number of bugs here:
>
> 1) If "count" is less than sizeof(dump_data.data) then it copies
> uninitialized data.
> 2) If simple_write_to_buffer() returns -EFAULT then we run into a
> problem "ret < count" comparison. "count" is an unsigned long so the
> comparison is type promoted to unsigned long and the negative returns
> become high positive values. That also results in copying
> uninitialized data.
> 3) If "*ppos" is non-zero then the first part of the dump_data
> buffer is uninitialized. Using copy_from_user() instead of
> simple_write_to_buffer() is more appropriate here.
>
> [...]
Here is the summary with links:
- Bluetooth: vhci: Fix info leak in force_devcd_write()
https://git.kernel.org/bluetooth/bluetooth-next/c/0b1900708232
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
