Patch "netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write()" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Jul 2023 21:11:04 -0400

This is a note to let you know that I've just added the patch titled

    netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netdevsim-fix-uninitialized-data-in-nsim_dev_trap_fa.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6f2ca3c8c1a7fda55fd52f9bb6deb07dd480418a
Author: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Date:   Tue Jul 11 11:52:26 2023 +0300

    netdevsim: fix uninitialized data in nsim_dev_trap_fa_cookie_write()
    
    [ Upstream commit f72207a5c0dbaaf6921cf9a6c0d2fd0bc249ea78 ]
    
    The simple_write_to_buffer() function is designed to handle partial
    writes.  It returns negatives on error, otherwise it returns the number
    of bytes that were able to be copied.  This code doesn't check the
    return properly.  We only know that the first byte is written, the rest
    of the buffer might be uninitialized.
    
    There is no need to use the simple_write_to_buffer() function.
    Partial writes are prohibited by the "if (*ppos != 0)" check at the
    start of the function.  Just use memdup_user() and copy the whole
    buffer.
    
    Fixes: d3cbb907ae57 ("netdevsim: add ACL trap reporting cookie as a metadata")
    Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Reviewed-by: Pavan Chebbi <pavan.chebbi@xxxxxxxxxxxx>
    Reviewed-by: Ido Schimmel <idosch@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/7c1f950b-3a7d-4252-82a6-876e53078ef7@moroto.mountain
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/netdevsim/dev.c b/drivers/net/netdevsim/dev.c
index 68e56e451b2be..c3fbdd6b68baf 100644
--- a/drivers/net/netdevsim/dev.c
+++ b/drivers/net/netdevsim/dev.c
@@ -184,13 +184,10 @@ static ssize_t nsim_dev_trap_fa_cookie_write(struct file *file,
 	cookie_len = (count - 1) / 2;
 	if ((count - 1) % 2)
 		return -EINVAL;
-	buf = kmalloc(count, GFP_KERNEL | __GFP_NOWARN);
-	if (!buf)
-		return -ENOMEM;
 
-	ret = simple_write_to_buffer(buf, count, ppos, data, count);
-	if (ret < 0)
-		goto free_buf;
+	buf = memdup_user(data, count);
+	if (IS_ERR(buf))
+		return PTR_ERR(buf);
 
 	fa_cookie = kmalloc(sizeof(*fa_cookie) + cookie_len,
 			    GFP_KERNEL | __GFP_NOWARN);






