On Wed, Jul 20, 2022 at 09:23:38PM +0300, Dan Carpenter wrote:
> The call to:
>
> size = simple_write_to_buffer(cmdbuf, sizeof(cmdbuf), ppos, buf, size);
>
> will succeed if at least one byte is written to the "cmdbuf" buffer.
> The "*ppos" value controls which byte is written. Another problem is
> that this code does not check for errors so it's possible for the entire
> buffer to be unintialized.
>
> Inintialize the struct to zero to prevent reading uninitialized stack
> data.
>
> Debugfs is normally only writable by root so the impact of this bug is
> very minimal.
>
> Fixes: 6cca83d498bd ("Platform: OLPC: move debugfs support from x86 EC driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> The ec_dbgfs_cmd_write() function is not great. We could copy the data
> outside the lock for example. But that's outside the scope of this
> patch.
More relevant another improvement would be to replace the
simple_write_to_buffer() with a check for "if (*ppos) return 0;" and
a copy_from_user(). The simple_write_to_buffer() function is not
appropriate here.
However I can't test this code, and this is not really core code so I
just did the minimum to fix the bug.
regards,
dan carpenter
