* [PATCH] ath10k: fix information leak in debugfs
@ 2018-02-19 12:51 ` Venkateswara Naralasetty
0 siblings, 0 replies; 4+ messages in thread
From: Venkateswara Naralasetty @ 2018-02-19 12:51 UTC (permalink / raw)
To: ath10k; +Cc: Venkateswara Naralasetty, linux-wireless
During write to some of debugfs in ath10k, few variables exposing stack
data when process user input. which leads to possible information leak.
This patch fix this issue by initializing buffer and checks
the return valure of 'simple_write_to_buffer'.
Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
---
drivers/net/wireless/ath/ath10k/debug.c | 20 ++++++++---------
drivers/net/wireless/ath/ath10k/debugfs_sta.c | 31 ++++++++++++++-------------
2 files changed, 26 insertions(+), 25 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 554cd78..21c348b 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -987,13 +987,13 @@ static ssize_t ath10k_write_htt_max_amsdu_ampdu(struct file *file,
{
struct ath10k *ar = file->private_data;
int res;
- char buf[64];
+ char buf[64] = {0};
unsigned int amsdu, ampdu;
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = 0;
+ res = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (res <= 0)
+ return res;
res = sscanf(buf, "%u %u", &amsdu, &du);
@@ -1043,14 +1043,14 @@ static ssize_t ath10k_write_fw_dbglog(struct file *file,
{
struct ath10k *ar = file->private_data;
int ret;
- char buf[96];
+ char buf[96] = {0};
unsigned int log_level;
u64 mask;
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = 0;
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%llx %u", &mask, &log_level);
diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
index b260b09..5583854 100644
--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c
+++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2014-2017 Qualcomm Atheros, Inc.
+ * Copyright (c) 2018, The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -136,12 +137,12 @@ static ssize_t ath10k_dbg_sta_write_addba(struct file *file,
struct ath10k *ar = arsta->arvif->ar;
u32 tid, buf_size;
int ret;
- char buf[64];
+ char buf[64] = {0};
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = '\0';
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%u %u", &tid, &buf_size);
if (ret != 2)
@@ -187,12 +188,12 @@ static ssize_t ath10k_dbg_sta_write_addba_resp(struct file *file,
struct ath10k *ar = arsta->arvif->ar;
u32 tid, status;
int ret;
- char buf[64];
-
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+ char buf[64] = {0};
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = '\0';
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%u %u", &tid, &status);
if (ret != 2)
@@ -237,12 +238,12 @@ static ssize_t ath10k_dbg_sta_write_delba(struct file *file,
struct ath10k *ar = arsta->arvif->ar;
u32 tid, initiator, reason;
int ret;
- char buf[64];
-
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+ char buf[64] = {0};
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = '\0';
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%u %u %u", &tid, &initiator, &reason);
if (ret != 3)
--
2.7.4
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH] ath10k: fix information leak in debugfs
@ 2018-02-19 12:51 ` Venkateswara Naralasetty
0 siblings, 0 replies; 4+ messages in thread
From: Venkateswara Naralasetty @ 2018-02-19 12:51 UTC (permalink / raw)
To: ath10k; +Cc: linux-wireless, Venkateswara Naralasetty
During write to some of debugfs in ath10k, few variables exposing stack
data when process user input. which leads to possible information leak.
This patch fix this issue by initializing buffer and checks
the return valure of 'simple_write_to_buffer'.
Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
---
drivers/net/wireless/ath/ath10k/debug.c | 20 ++++++++---------
drivers/net/wireless/ath/ath10k/debugfs_sta.c | 31 ++++++++++++++-------------
2 files changed, 26 insertions(+), 25 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 554cd78..21c348b 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -987,13 +987,13 @@ static ssize_t ath10k_write_htt_max_amsdu_ampdu(struct file *file,
{
struct ath10k *ar = file->private_data;
int res;
- char buf[64];
+ char buf[64] = {0};
unsigned int amsdu, ampdu;
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = 0;
+ res = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (res <= 0)
+ return res;
res = sscanf(buf, "%u %u", &amsdu, &du);
@@ -1043,14 +1043,14 @@ static ssize_t ath10k_write_fw_dbglog(struct file *file,
{
struct ath10k *ar = file->private_data;
int ret;
- char buf[96];
+ char buf[96] = {0};
unsigned int log_level;
u64 mask;
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = 0;
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%llx %u", &mask, &log_level);
diff --git a/drivers/net/wireless/ath/ath10k/debugfs_sta.c b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
index b260b09..5583854 100644
--- a/drivers/net/wireless/ath/ath10k/debugfs_sta.c
+++ b/drivers/net/wireless/ath/ath10k/debugfs_sta.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2014-2017 Qualcomm Atheros, Inc.
+ * Copyright (c) 2018, The Linux Foundation. All rights reserved.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
@@ -136,12 +137,12 @@ static ssize_t ath10k_dbg_sta_write_addba(struct file *file,
struct ath10k *ar = arsta->arvif->ar;
u32 tid, buf_size;
int ret;
- char buf[64];
+ char buf[64] = {0};
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
-
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = '\0';
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%u %u", &tid, &buf_size);
if (ret != 2)
@@ -187,12 +188,12 @@ static ssize_t ath10k_dbg_sta_write_addba_resp(struct file *file,
struct ath10k *ar = arsta->arvif->ar;
u32 tid, status;
int ret;
- char buf[64];
-
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+ char buf[64] = {0};
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = '\0';
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%u %u", &tid, &status);
if (ret != 2)
@@ -237,12 +238,12 @@ static ssize_t ath10k_dbg_sta_write_delba(struct file *file,
struct ath10k *ar = arsta->arvif->ar;
u32 tid, initiator, reason;
int ret;
- char buf[64];
-
- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+ char buf[64] = {0};
- /* make sure that buf is null terminated */
- buf[sizeof(buf) - 1] = '\0';
+ ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
+ user_buf, count);
+ if (ret <= 0)
+ return ret;
ret = sscanf(buf, "%u %u %u", &tid, &initiator, &reason);
if (ret != 3)
--
2.7.4
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: ath10k: fix information leak in debugfs
2018-02-19 12:51 ` Venkateswara Naralasetty
(?)
@ 2018-04-27 11:26 ` Kalle Valo
-1 siblings, 0 replies; 4+ messages in thread
From: Kalle Valo @ 2018-04-27 11:26 UTC (permalink / raw)
To: Venkateswara Naralasetty; +Cc: linux-wireless, ath10k
Venkateswara Naralasetty <vnaralas@codeaurora.org> wrote:
> During write to some of debugfs in ath10k, few variables exposing stack
> data when process user input. which leads to possible information leak.
>
> This patch fix this issue by initializing buffer and checks
> the return valure of 'simple_write_to_buffer'.
>
> Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
2f177c1628c3 ath10k: fix information leak in debugfs
--
https://patchwork.kernel.org/patch/10227751/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
_______________________________________________
ath10k mailing list
ath10k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath10k
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: ath10k: fix information leak in debugfs
2018-02-19 12:51 ` Venkateswara Naralasetty
(?)
(?)
@ 2018-04-27 11:26 ` Kalle Valo
-1 siblings, 0 replies; 4+ messages in thread
From: Kalle Valo @ 2018-04-27 11:26 UTC (permalink / raw)
To: Venkateswara Naralasetty; +Cc: ath10k, linux-wireless, Venkateswara Naralasetty
Venkateswara Naralasetty <vnaralas@codeaurora.org> wrote:
> During write to some of debugfs in ath10k, few variables exposing stack
> data when process user input. which leads to possible information leak.
>
> This patch fix this issue by initializing buffer and checks
> the return valure of 'simple_write_to_buffer'.
>
> Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath-next branch of ath.git, thanks.
2f177c1628c3 ath10k: fix information leak in debugfs
--
https://patchwork.kernel.org/patch/10227751/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-04-27 11:27 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-19 12:51 [PATCH] ath10k: fix information leak in debugfs Venkateswara Naralasetty
2018-02-19 12:51 ` Venkateswara Naralasetty
2018-04-27 11:26 ` Kalle Valo
2018-04-27 11:26 ` Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.