Commit 2d867aa0 authored by Jann Horn's avatar Jann Horn Committed by Kleber Sacilotto de Souza

ibmasm: don't write out of bounds in read handler

BugLink: https://bugs.launchpad.net/bugs/1790620

commit a0341fc1 upstream.

This read handler had a lot of custom logic and wrote outside the bounds of
the provided buffer. This could lead to kernel and userspace memory
corruption. Just use simple_read_from_buffer() with a stack buffer.

Fixes: 1da177e4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
parent 31c5526e
......@@ -507,35 +507,14 @@ static int remote_settings_file_close(struct inode *inode, struct file *file)
static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
{
void __iomem *address = (void __iomem *)file->private_data;
unsigned char *page;
int retval;
int len = 0;
unsigned int value;
if (*offset < 0)
return -EINVAL;
if (count == 0 || count > 1024)
return 0;
if (*offset != 0)
return 0;
page = (unsigned char *)__get_free_page(GFP_KERNEL);
if (!page)
return -ENOMEM;
char lbuf[20];
value = readl(address);
len = sprintf(page, "%d\n", value);
if (copy_to_user(buf, page, len)) {
retval = -EFAULT;
goto exit;
}
*offset += len;
retval = len;
len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
exit:
free_page((unsigned long)page);
return retval;
return simple_read_from_buffer(buf, count, offset, lbuf, len);
}
static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment