[PATCH] platform/x86: intel_pmc_core: re-write copy in pmc_core_lpm_latch_mode_write()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



There are two bugs in this code:
1) "ret" is unsigned so the error handling is broken.
2) simple_write_to_buffer() is innappropriate.  It will succeed even if
   we are only able to copy a single byte of data from user space.  This
   could lead to an information leak if the buf[] array is not fully
   initialized.

I've fixed it to use strncpy_from_user() and to return -EINVAL if the
user supplied string is not NUL terminated.

Fixes: 8074a79fad2e ("platform/x86: intel_pmc_core: Add option to set/clear LPM mode")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
 drivers/platform/x86/intel_pmc_core.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c
index 3ae00ac85c75..c989796a5d52 100644
--- a/drivers/platform/x86/intel_pmc_core.c
+++ b/drivers/platform/x86/intel_pmc_core.c
@@ -1360,18 +1360,19 @@ static ssize_t pmc_core_lpm_latch_mode_write(struct file *file,
 	struct pmc_dev *pmcdev = s->private;
 	bool clear = false, c10 = false;
 	unsigned char buf[8];
-	size_t ret;
-	int idx, m, mode;
+	int idx, m, mode, ret;
+	size_t len;
 	u32 reg;
 
-	if (count > sizeof(buf) - 1)
+	if (count > sizeof(buf))
 		return -EINVAL;
 
-	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
+	len = min(count, sizeof(buf));
+	ret = strncpy_from_user(buf, userbuf, len);
 	if (ret < 0)
 		return ret;
-
-	buf[count] = '\0';
+	if (ret == len)
+		return -EINVAL;
 
 	/*
 	 * Allowed strings are:
-- 
2.30.2




[Index of Archives]     [Linux Kernel Development]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux