There are two bugs in this code:
1) "ret" is unsigned so the error handling is broken.
2) simple_write_to_buffer() is innappropriate. It will succeed even if
we are only able to copy a single byte of data from user space. This
could lead to an information leak if the buf[] array is not fully
initialized.
I've fixed it to use strncpy_from_user() and to return -EINVAL if the
user supplied string is not NUL terminated.
Fixes: 8074a79fad2e ("platform/x86: intel_pmc_core: Add option to set/clear LPM mode")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/platform/x86/intel_pmc_core.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c
index 3ae00ac85c75..c989796a5d52 100644
--- a/drivers/platform/x86/intel_pmc_core.c
+++ b/drivers/platform/x86/intel_pmc_core.c
@@ -1360,18 +1360,19 @@ static ssize_t pmc_core_lpm_latch_mode_write(struct file *file,
struct pmc_dev *pmcdev = s->private;
bool clear = false, c10 = false;
unsigned char buf[8];
- size_t ret;
- int idx, m, mode;
+ int idx, m, mode, ret;
+ size_t len;
u32 reg;
- if (count > sizeof(buf) - 1)
+ if (count > sizeof(buf))
return -EINVAL;
- ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
+ len = min(count, sizeof(buf));
+ ret = strncpy_from_user(buf, userbuf, len);
if (ret < 0)
return ret;
-
- buf[count] = '\0';
+ if (ret == len)
+ return -EINVAL;
/*
* Allowed strings are:
--
2.30.2
