On Tue, Jun 12, 2018 at 09:47:41PM -0400, Hugo Lefeuvre wrote: > In the PI433_IOC_WR_TX_CFG case in pi433_ioctl, instance->tx_cfg is > modified via > > copy_from_user(&instance->tx_cfg, argp, sizeof(struct pi433_tx_cfg))) > > without any kind of synchronization. In the case where two threads > would execute this same command concurrently the tx_cfg field might > enter in an inconsistent state. > > Additionally: if ioctl(PI433_IOC_WR_TX_CFG) and write() execute > concurrently the tx config might be modified while it is being > copied to the fifo, resulting in potential data corruption. > > Fix: Get instance->tx_cfg_lock before modifying tx config in the > PI433_IOC_WR_TX_CFG case in pi433_ioctl. > > Also, do not copy data directly from user space to instance->tx_cfg. > Instead use a temporary buffer allowing future checks for correctness > of copied data. > > Signed-off-by: Hugo Lefeuvre <hle@xxxxxxxxxx> > --- > Changes in v2: > - Use device->tx_fifo_lock instead of introducing a new lock in > instance. > - Do not copy data directly from user space to instance->tx_cfg, > instead use a temporary buffer allowing future checks for > correctness of copied data. > --- > drivers/staging/pi433/pi433_if.c | 11 +++++++++-- > 1 file changed, 9 insertions(+), 2 deletions(-) > > diff --git a/drivers/staging/pi433/pi433_if.c b/drivers/staging/pi433/pi433_if.c > index b061f77dda41..3ec1ed01d04b 100644 > --- a/drivers/staging/pi433/pi433_if.c > +++ b/drivers/staging/pi433/pi433_if.c > @@ -880,6 +880,7 @@ pi433_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) > int retval = 0; > struct pi433_instance *instance; > struct pi433_device *device; > + struct pi433_tx_cfg tx_cfg_buffer; > void __user *argp = (void __user *)arg; > > /* Check type and command number */ > @@ -902,9 +903,15 @@ pi433_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) > return -EFAULT; > break; > case PI433_IOC_WR_TX_CFG: > - if (copy_from_user(&instance->tx_cfg, argp, > - sizeof(struct pi433_tx_cfg))) > + /* do not modify tx config while it is being copied to fifo */ > + mutex_lock(&device->tx_fifo_lock); > + if (copy_from_user(&tx_cfg_buffer, argp, > + sizeof(struct pi433_tx_cfg))) { > + mutex_unlock(&device->tx_fifo_lock); > return -EFAULT; > + } > + memcpy(&instance->tx_cfg, &tx_cfg_buffer, sizeof(struct pi433_tx_cfg)); > + mutex_unlock(&device->tx_fifo_lock); The lock is only needed around the memcpy() and that makes the code a bit simpler as well. regards, dan carpenter _______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies