From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jann Horn <jannh@google.com>
Subject: [PATCH 4.9 06/32] ibmasm: dont write out of bounds in read handler
Date: Mon, 16 Jul 2018 09:36:14 +0200 [thread overview]
Message-ID: <20180716073505.229291390@linuxfoundation.org> (raw)
In-Reply-To: <20180716073504.433996952@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jann Horn <jannh@google.com>
commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream.
This read handler had a lot of custom logic and wrote outside the bounds of
the provided buffer. This could lead to kernel and userspace memory
corruption. Just use simple_read_from_buffer() with a stack buffer.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------
1 file changed, 3 insertions(+), 24 deletions(-)
--- a/drivers/misc/ibmasm/ibmasmfs.c
+++ b/drivers/misc/ibmasm/ibmasmfs.c
@@ -507,35 +507,14 @@ static int remote_settings_file_close(st
static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
{
void __iomem *address = (void __iomem *)file->private_data;
- unsigned char *page;
- int retval;
int len = 0;
unsigned int value;
-
- if (*offset < 0)
- return -EINVAL;
- if (count == 0 || count > 1024)
- return 0;
- if (*offset != 0)
- return 0;
-
- page = (unsigned char *)__get_free_page(GFP_KERNEL);
- if (!page)
- return -ENOMEM;
+ char lbuf[20];
value = readl(address);
- len = sprintf(page, "%d\n", value);
-
- if (copy_to_user(buf, page, len)) {
- retval = -EFAULT;
- goto exit;
- }
- *offset += len;
- retval = len;
+ len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
-exit:
- free_page((unsigned long)page);
- return retval;
+ return simple_read_from_buffer(buf, count, offset, lbuf, len);
}
static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
next prev parent reply other threads:[~2018-07-16 7:42 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-16 7:36 [PATCH 4.9 00/32] 4.9.113-stable review Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 01/32] nvme: validate admin queue before unquiesce Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 02/32] MIPS: Call dump_stack() from show_regs() Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 03/32] MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() Greg Kroah-Hartman
2018-07-16 9:29 ` 陈华才
2018-07-16 9:40 ` [PATCH " Greg Kroah-Hartman
2018-07-16 9:46 ` [PATCH 4.9 03/32] MIPS: Use async IPIs forarch_trigger_cpumask_backtrace() 陈华才
2018-07-16 10:46 ` Greg Kroah-Hartman
2018-07-16 18:34 ` Greg Kroah-Hartman
2018-07-17 6:53 ` [PATCH 4.9 03/32] MIPS: Use async IPIsforarch_trigger_cpumask_backtrace() 陈华才
2018-07-17 7:20 ` Greg Kroah-Hartman
2018-07-17 8:14 ` [PATCH 4.9 03/32] MIPS: Use asyncIPIsforarch_trigger_cpumask_backtrace() 陈华才
2018-07-17 16:57 ` [PATCH 4.9 Backport] MIPS: Use async IPIs for arch_trigger_cpumask_backtrace() Paul Burton
2018-07-16 7:36 ` [PATCH 4.9 04/32] MIPS: Fix ioremap() RAM check Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 05/32] mmc: dw_mmc: fix card threshold control configuration Greg Kroah-Hartman
2018-07-16 7:36 ` Greg Kroah-Hartman [this message]
2018-07-16 7:36 ` [PATCH 4.9 07/32] ata: Fix ZBC_OUT command block check Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 08/32] ata: Fix ZBC_OUT all bit handling Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 09/32] vmw_balloon: fix inflation with batching Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 10/32] ahci: Disable LPM on Lenovo 50 series laptops with a too old BIOS Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 11/32] USB: serial: ch341: fix type promotion bug in ch341_control_in() Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 12/32] USB: serial: cp210x: add another USB ID for Qivicon ZigBee stick Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 13/32] USB: serial: keyspan_pda: fix modem-status error handling Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 14/32] USB: yurex: fix out-of-bounds uaccess in read handler Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 15/32] USB: serial: mos7840: fix status-register error handling Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 16/32] usb: quirks: add delay quirks for Corsair Strafe Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 17/32] xhci: xhci-mem: off by one in xhci_stream_id_to_ring() Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 18/32] HID: usbhid: add quirk for innomedia INNEX GENESIS/ATARI adapter Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 19/32] Fix up non-directory creation in SGID directories Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 20/32] ALSA: hda - Handle pm failure during hotplug Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 21/32] fs, elf: make sure to page align bss in load_elf_library Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 22/32] tools build: fix # escaping in .cmd files for future Make Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 23/32] i2c: tegra: Fix NACK error handling Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 24/32] iw_cxgb4: correctly enforce the max reg_mr depth Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 25/32] nvme-pci: Remap CMB SQ entries on every controller reset Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 26/32] uprobes/x86: Remove incorrect WARN_ON() in uprobe_init_insn() Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 27/32] netfilter: nf_queue: augment nfqa_cfg_policy Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 28/32] netfilter: x_tables: initialise match/target check parameter struct Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 29/32] loop: add recursion validation to LOOP_CHANGE_FD Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 30/32] PM / hibernate: Fix oops at snapshot_write() Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 31/32] RDMA/ucm: Mark UCM interface as BROKEN Greg Kroah-Hartman
2018-07-16 7:36 ` [PATCH 4.9 32/32] loop: remember whether sysfs_create_group() was done Greg Kroah-Hartman
2018-07-16 13:55 ` [PATCH 4.9 00/32] 4.9.113-stable review Nathan Chancellor
2018-07-17 7:00 ` Greg Kroah-Hartman
2018-07-16 16:25 ` Guenter Roeck
2018-07-16 16:31 ` Greg Kroah-Hartman
2018-07-16 16:41 ` Guenter Roeck
2018-07-16 17:43 ` Greg Kroah-Hartman
2018-07-16 18:02 ` Guenter Roeck
2018-07-16 18:31 ` Greg Kroah-Hartman
2018-07-16 18:33 ` Greg Kroah-Hartman
2018-07-16 19:37 ` Guenter Roeck
2018-07-17 7:00 ` Greg Kroah-Hartman
2018-07-17 8:05 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180716073505.229291390@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=jannh@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.