From: Karol Kozimor <sziwan-DETuoxkZsSqrDJvtcaxF/A@public.gmane.org>
To: acpi-devel
<acpi-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org>
Subject: Re: [PATCH] toshiba_acpi 0.18
Date: Wed, 24 Mar 2004 12:17:20 +0100 [thread overview]
Message-ID: <20040324111720.GA15171@hell.org.pl> (raw)
In-Reply-To: <40610A01.9070904-wanGne27zNesTnJN9+BGXg@public.gmane.org>
[-- Attachment #1: Type: text/plain, Size: 272 bytes --]
Thus wrote John Belmonte:
> Note that if copy_from_user fails, this code leaks memory.
Nah, I somehow assumed we don't have to worry after -EFAULT, my bad.
Updated patches attached.
Best regards,
--
Karol 'sziwan' Kozimor
sziwan-DETuoxkZsSqrDJvtcaxF/A@public.gmane.org
[-- Attachment #2: copy_from_user-2.4.diff --]
[-- Type: text/plain, Size: 2880 bytes --]
--- ../../kernels/linux-2.4.25/drivers/acpi/asus_acpi.c 2004-02-18 14:36:31.000000000 +0100
+++ ./asus_acpi.c 2004-03-24 12:07:08.000000000 +0100
@@ -40,6 +40,7 @@
#include <linux/proc_fs.h>
#include <acpi/acpi_drivers.h>
#include <acpi/acpi_bus.h>
+#include <asm/uaccess.h>
#define ASUS_ACPI_VERSION "0.27"
@@ -499,9 +500,17 @@ write_led(const char *buffer, unsigned l
{
int value;
int led_out = 0;
+ char *tmp_buffer;
- if (sscanf(buffer, "%i", &value) == 1)
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%i", &value) == 1)
led_out = value ? 1 : 0;
+ kfree(tmp_buffer);
hotk->status =
(led_out) ? (hotk->status | ledmask) : (hotk->status & ~ledmask);
@@ -656,9 +665,18 @@ proc_write_lcd(struct file *file, const
{
int value;
struct asus_hotk *hotk = (struct asus_hotk *) data;
+ char *tmp_buffer;
- if (sscanf(buffer, "%i", &value) == 1)
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%i", &value) == 1)
set_lcd_state(hotk, value);
+ kfree(tmp_buffer);
+
return count;
}
@@ -723,14 +741,22 @@ proc_write_brn(struct file *file, const
{
int value;
struct asus_hotk *hotk = (struct asus_hotk *) data;
+ char *tmp_buffer;
- if (sscanf(buffer, "%d", &value) == 1) {
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%d", &value) == 1) {
value = (0 < value) ? ((15 < value) ? 15 : value) : 0;
/* 0 <= value <= 15 */
set_brightness(value, hotk);
} else {
printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
}
+ kfree(tmp_buffer);
return count;
}
@@ -772,12 +798,20 @@ proc_write_disp(struct file *file, const
{
int value;
struct asus_hotk *hotk = (struct asus_hotk *) data;
+ char *tmp_buffer;
- if (sscanf(buffer, "%d", &value) == 1)
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%d", &value) == 1)
set_display(value, hotk);
else {
printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
}
+ kfree(tmp_buffer);
return count;
}
@@ -1006,7 +1040,6 @@ static int __init asus_hotk_get_info(str
}
-
static int __init asus_hotk_check(struct asus_hotk *hotk)
{
int result = 0;
@@ -1029,7 +1062,6 @@ static int __init asus_hotk_check(struct
}
-
static int __init asus_hotk_add(struct acpi_device *device)
{
struct asus_hotk *hotk = NULL;
[-- Attachment #3: copy_from_user-2.6.diff --]
[-- Type: text/plain, Size: 3778 bytes --]
--- ../../kernels/linux-2.6.5/drivers/acpi/asus_acpi.c 2004-03-21 16:48:28.000000000 +0100
+++ ./asus_acpi.c 2004-03-24 12:09:51.000000000 +0100
@@ -40,6 +40,7 @@
#include <linux/proc_fs.h>
#include <acpi/acpi_drivers.h>
#include <acpi/acpi_bus.h>
+#include <asm/uaccess.h>
#define ASUS_ACPI_VERSION "0.27"
@@ -494,14 +495,22 @@ read_led(struct asus_hotk *hotk, const c
/* FIXME: kill extraneous args so it can be called independently */
static int
-write_led(const char *buffer, unsigned long count, struct asus_hotk *hotk,
+write_led(const char __user *buffer, unsigned long count, struct asus_hotk *hotk,
char *ledname, int ledmask, int invert)
{
int value;
int led_out = 0;
+ char *tmp_buffer;
- if (sscanf(buffer, "%i", &value) == 1)
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%i", &value) == 1)
led_out = value ? 1 : 0;
+ kfree(tmp_buffer);
hotk->status =
(led_out) ? (hotk->status | ledmask) : (hotk->status & ~ledmask);
@@ -651,14 +660,23 @@ proc_read_lcd(char *page, char **start,
static int
-proc_write_lcd(struct file *file, const char *buffer,
+proc_write_lcd(struct file *file, const char __user *buffer,
unsigned long count, void *data)
{
int value;
struct asus_hotk *hotk = (struct asus_hotk *) data;
+ char *tmp_buffer;
- if (sscanf(buffer, "%i", &value) == 1)
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%i", &value) == 1)
set_lcd_state(hotk, value);
+ kfree(tmp_buffer);
+
return count;
}
@@ -718,19 +736,27 @@ proc_read_brn(char *page, char **start,
}
static int
-proc_write_brn(struct file *file, const char *buffer,
+proc_write_brn(struct file *file, const char __user *buffer,
unsigned long count, void *data)
{
int value;
struct asus_hotk *hotk = (struct asus_hotk *) data;
+ char *tmp_buffer;
- if (sscanf(buffer, "%d", &value) == 1) {
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%d", &value) == 1) {
value = (0 < value) ? ((15 < value) ? 15 : value) : 0;
/* 0 <= value <= 15 */
set_brightness(value, hotk);
} else {
printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
}
+ kfree(tmp_buffer);
return count;
}
@@ -767,17 +793,25 @@ proc_read_disp(char *page, char **start,
* simultaneously, so be warned. See the acpi4asus README for more info.
*/
static int
-proc_write_disp(struct file *file, const char *buffer,
+proc_write_disp(struct file *file, const char __user *buffer,
unsigned long count, void *data)
{
int value;
struct asus_hotk *hotk = (struct asus_hotk *) data;
+ char *tmp_buffer;
- if (sscanf(buffer, "%d", &value) == 1)
+ tmp_buffer = kmalloc(count + 1, GFP_KERNEL);
+ if (copy_from_user(tmp_buffer, buffer, count)) {
+ kfree(tmp_buffer);
+ return -EFAULT;
+ } else
+ tmp_buffer[count] = '\0';
+ if (sscanf(tmp_buffer, "%d", &value) == 1)
set_display(value, hotk);
else {
printk(KERN_WARNING "Asus ACPI: Error reading user input\n");
}
+ kfree(tmp_buffer);
return count;
}
@@ -1006,7 +1040,6 @@ static int __init asus_hotk_get_info(str
}
-
static int __init asus_hotk_check(struct asus_hotk *hotk)
{
int result = 0;
@@ -1029,7 +1062,6 @@ static int __init asus_hotk_check(struct
}
-
static int __init asus_hotk_add(struct acpi_device *device)
{
struct asus_hotk *hotk = NULL;
prev parent reply other threads:[~2004-03-24 11:17 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-03-14 2:35 [PATCH] toshiba_acpi 0.18 John Belmonte
[not found] ` <4053C4D5.8000703-wanGne27zNesTnJN9+BGXg@public.gmane.org>
2004-03-14 5:38 ` Len Brown
[not found] ` <1079242701.2168.121.camel-D2Zvc0uNKG8@public.gmane.org>
2004-03-14 6:02 ` John Belmonte
[not found] ` <4053F592.80001-wanGne27zNesTnJN9+BGXg@public.gmane.org>
2004-03-23 7:01 ` Len Brown
2004-03-25 14:34 ` Sergey Vlasov
[not found] ` <20040325173453.77fed4e9.vsu-u2l5PoMzF/Uox3rIn2DAYQ@public.gmane.org>
2004-03-25 15:48 ` John Belmonte
2004-03-14 13:07 ` [PATCH] " Karol Kozimor
[not found] ` <20040314130724.GA1994-DETuoxkZsSqrDJvtcaxF/A@public.gmane.org>
2004-03-23 23:24 ` Karol Kozimor
[not found] ` <20040323232438.GA9223-DETuoxkZsSqrDJvtcaxF/A@public.gmane.org>
2004-03-24 4:09 ` John Belmonte
[not found] ` <40610A01.9070904-wanGne27zNesTnJN9+BGXg@public.gmane.org>
2004-03-24 11:17 ` Karol Kozimor [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040324111720.GA15171@hell.org.pl \
--to=sziwan-detuoxkzssqrdjvtcaxf/a@public.gmane.org \
--cc=acpi-devel-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox