From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 791ECC43334 for ; Tue, 5 Jul 2022 15:00:33 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231769AbiGEPAb (ORCPT ); Tue, 5 Jul 2022 11:00:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52038 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231154AbiGEPAa (ORCPT ); Tue, 5 Jul 2022 11:00:30 -0400 Received: from mail-yw1-x114a.google.com (mail-yw1-x114a.google.com [IPv6:2607:f8b0:4864:20::114a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AAB814D09 for ; Tue, 5 Jul 2022 08:00:29 -0700 (PDT) Received: by mail-yw1-x114a.google.com with SMTP id 00721157ae682-31c8a5d51adso44546647b3.14 for ; Tue, 05 Jul 2022 08:00:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc; bh=QKuFg9afWhUipvD+WdWRILrNmuYqti5h58sgL8Ob85w=; b=I1hm1SyHmxcLO7/EzbgkwyhvtMLZ2oqIEFbEoFVWd6iXy9zRpmRcMlkRB48oF+revL ZWoUdXXELCCZ1ITOv4C9zvfjcqggfmuXkPrpSwyiZ+MZL0nsCjOEgB8dB1F+wF56qpgb 3S0C50+n99eVaZWajRE7iLRc6cKulNgTwzcsj/aPuX+XrIyyza46XkdeLBX4mjnqnzPd 8QjPoWGIqESpY4uzqrGlSv5Ogx+J5DsfqlP902d6jeo9x9E6zs0THNYHlkNybr3JhBY3 MA6SkMQcDTDUlSLxzzmcs9Yo37CDIVZkLbm+dlAhLYKVSAtxqv4HKyMk9tt3BEv1c7bN r5yg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc; bh=QKuFg9afWhUipvD+WdWRILrNmuYqti5h58sgL8Ob85w=; b=SvUgFIq56qnSwyYbtbn5tRJl2+2ZkWrNdSUHM5B5RvCZ63nP/qWEkRvmA2Kb532Oj8 MLAwt8npa+8AnQPXmyBUHsEF/lSh+MEwCf5aGSrBJ9SJZuOWdtgLlOVQrv9S1Qur+sYZ 7JJfrpbjDC03YuxRXbakTtOCWtdfK21CcoRb3gEsVgu4Me+/B82CO4VIZqf8d0ioPA9K LPOcwoDUEK+ZscyNpuQnF67icPW1eb8h0xYFQLnmei9QrcUJiYCnz3fZUyOOgEQpk/+n cETDYc/1TVkzG4AfZFcx8Gkapv9BuudlSTG8h9EFYacwAHom1E5yRnJ87YxA6kBHSQnP hkFQ== X-Gm-Message-State: AJIora8uAcUP+4LuDbxxfxdpuuvb72aOSaS830W5ikStNBAOGsAv9PoV /fR/oVUKukwCx3kMT2/KOybwKMLBbhFKGjdcM03GSih3AvLQ0rlje5UwNHlQlF1uQoil1cO48sJ OJN+IZQnTHO10nO/8jeYvx313JsqHo4IPXfxgkr+C/S5tQv1PD00YSwQV63FMLK1qQM8ABOuH/c nHOqAW8x0= X-Google-Smtp-Source: AGRyM1vov+co30UkhlpMFkCv16wQz5Y36w5l/CsmBztWgrqpIsFJp2fvlSpQSueDSb7FKEdWEPgSZo1iHk9nkbZt1Q== X-Received: from devel.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:4ea]) (user=varadgautam job=sendgmr) by 2002:a81:83c1:0:b0:31c:782f:7a42 with SMTP id t184-20020a8183c1000000b0031c782f7a42mr21651503ywf.399.1657033228690; Tue, 05 Jul 2022 08:00:28 -0700 (PDT) Date: Tue, 5 Jul 2022 15:00:02 +0000 Message-Id: <20220705150002.2016207-1-varadgautam@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.37.0.rc0.161.g10f37bed90-goog Subject: [PATCH] thermal: sysfs: Perform bounds check when storing thermal states From: Varad Gautam To: linux-kernel@vger.kernel.org Cc: "Rafael J . Wysocki" , Daniel Lezcano , Amit Kucheria , Zhang Rui , linux-pm@vger.kernel.org, Varad Gautam , stable@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Check that a user-provided thermal state is within the maximum thermal states supported by a given driver before attempting to apply it. This prevents a subsequent OOB access in thermal_cooling_device_stats_update() while performing state-transition accounting on drivers that do not have this check in their set_cur_state() handle. Signed-off-by: Varad Gautam Cc: stable@vger.kernel.org --- drivers/thermal/thermal_sysfs.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c index 1c4aac8464a7..0c6b0223b133 100644 --- a/drivers/thermal/thermal_sysfs.c +++ b/drivers/thermal/thermal_sysfs.c @@ -607,7 +607,7 @@ cur_state_store(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { struct thermal_cooling_device *cdev = to_cooling_device(dev); - unsigned long state; + unsigned long state, max_state; int result; if (sscanf(buf, "%ld\n", &state) != 1) @@ -618,10 +618,20 @@ cur_state_store(struct device *dev, struct device_attribute *attr, mutex_lock(&cdev->lock); + result = cdev->ops->get_max_state(cdev, &max_state); + if (result) + goto unlock; + + if (state > max_state) { + result = -EINVAL; + goto unlock; + } + result = cdev->ops->set_cur_state(cdev, state); if (!result) thermal_cooling_device_stats_update(cdev, state); +unlock: mutex_unlock(&cdev->lock); return result ? result : count; } -- 2.37.0.rc0.161.g10f37bed90-goog