[tip:x86/urgent] nvram: Fix write beyond end condition; prove to gcc copy is safe

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "tip-bot for H. Peter Anvin" <hpa@zytor.com>
To: linux-tip-commits@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, hpa@zytor.com, mingo@redhat.com,
	wim@iguana.be, arjan@infradead.org, fweisbec@gmail.com,
	akpm@linux-foundation.org, tglx@linutronix.de
Subject: [tip:x86/urgent] nvram: Fix write beyond end condition; prove to gcc copy is safe
Date: Sat, 12 Dec 2009 00:16:24 GMT	[thread overview]
Message-ID: <tip-a01c7800420d2c294ca403988488a635d4087a6d@git.kernel.org> (raw)
In-Reply-To: <tip-*@git.kernel.org>

Commit-ID:  a01c7800420d2c294ca403988488a635d4087a6d
Gitweb:     http://git.kernel.org/tip/a01c7800420d2c294ca403988488a635d4087a6d
Author:     H. Peter Anvin <hpa@zytor.com>
AuthorDate: Fri, 11 Dec 2009 15:48:23 -0800
Committer:  H. Peter Anvin <hpa@zytor.com>
CommitDate: Fri, 11 Dec 2009 15:48:23 -0800

nvram: Fix write beyond end condition; prove to gcc copy is safe

In nvram_write, first of all, correctly handle the case where the file
pointer is already beyond the end; we should return EOF in that case.

Second, make the logic a bit more explicit so that gcc can statically
prove that the copy_from_user() is safe.  Once the condition of the
beyond-end filepointer is eliminated, the copy is safe but gcc can't
prove it, causing build failures for i386 allyesconfig.

Third, eliminate the entirely superfluous variable "len", and just use
the passed-in variable "count" instead.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Arjan van de Ven <arjan@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Wim Van Sebroeck <wim@iguana.be>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
LKML-Reference: <tip-*@git.kernel.org>
---
 drivers/char/nvram.c |   14 ++++++++++----
 1 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
index 4008e2c..fdbcc9f 100644
--- a/drivers/char/nvram.c
+++ b/drivers/char/nvram.c
@@ -264,10 +264,16 @@ static ssize_t nvram_write(struct file *file, const char __user *buf,
 	unsigned char contents[NVRAM_BYTES];
 	unsigned i = *ppos;
 	unsigned char *tmp;
-	int len;
 
-	len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
-	if (copy_from_user(contents, buf, len))
+	if (i >= NVRAM_BYTES)
+		return 0;	/* Past EOF */
+
+	if (count > NVRAM_BYTES - i)
+		count = NVRAM_BYTES - i;
+	if (count > NVRAM_BYTES)
+		return -EFAULT;	/* Can't happen, but prove it to gcc */
+
+	if (copy_from_user(contents, buf, count))
 		return -EFAULT;
 
 	spin_lock_irq(&rtc_lock);
@@ -275,7 +281,7 @@ static ssize_t nvram_write(struct file *file, const char __user *buf,
 	if (!__nvram_check_checksum())
 		goto checksum_err;
 
-	for (tmp = contents; count-- > 0 && i < NVRAM_BYTES; ++i, ++tmp)
+	for (tmp = contents; count--; ++i, ++tmp)
 		__nvram_write_byte(*tmp, i);
 
 	__nvram_set_checksum();

next      parent reply	other threads:[~2009-12-12  0:17 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <tip-*@git.kernel.org>
2009-12-12  0:16 ` tip-bot for H. Peter Anvin [this message]
2009-12-15 23:18 ` [tip:x86/urgent] x86, msr/cpuid: Register enough minors for the MSR and CPUID drivers tip-bot for H. Peter Anvin
2010-02-19  6:21 ` [tip:x86/setup] x86-64, setup: Inhibit decompressor output if video info is invalid tip-bot for H. Peter Anvin
2010-02-19 21:41 ` [tip:x86/setup] x86, setup: Don't skip mode setting for the standard VGA modes tip-bot for H. Peter Anvin
2010-06-10  0:10 ` [tip:x86/alternatives] x86, alternatives: Use 16-bit numbers for cpufeature index tip-bot for H. Peter Anvin
2010-06-11 18:24   ` tip-bot for H. Peter Anvin
2010-06-25  9:20   ` Lai Jiangshan
2010-06-25 15:35     ` H. Peter Anvin
2010-06-28  7:58       ` Lai Jiangshan
2010-06-28 18:58         ` H. Peter Anvin
2010-06-28 19:06         ` H. Peter Anvin
2010-06-29  4:58           ` Lai Jiangshan
2010-06-29  7:07     ` [tip:x86/alternatives] x86, alternatives: correct obsolete use of "u8" in static_cpu_has() tip-bot for H. Peter Anvin
2010-06-29  7:06   ` [tip:x86/alternatives] x86, alternatives: Use 16-bit numbers for cpufeature index tip-bot for tip-bot for H. Peter Anvin
2010-06-29  9:15     ` Ingo Molnar
2010-06-29 15:33       ` H. Peter Anvin
2010-07-07 17:45   ` tip-bot for H. Peter Anvin
2010-07-20  2:06 ` [tip:x86/cpu] x86, cpu: Clean up formatting in cpufeature.h, remove override tip-bot for H. Peter Anvin
2010-07-20  2:06 ` [tip:x86/cpu] x86, cpu: Split addon_cpuid_features.c tip-bot for H. Peter Anvin
2010-08-12  6:12 ` [tip:x86/urgent] x86, asm: Refactor atomic64_386_32.S to support old binutils and be cleaner tip-bot for Luca Barbieri
2010-08-12 12:15   ` Luca Barbieri
2010-08-12 14:05     ` H. Peter Anvin
2010-08-12 15:18       ` Luca Barbieri
2010-08-12 15:33   ` [tip:x86/urgent] x86, asm: Use a lower case name for the end macro in atomic64_386_32.S tip-bot for Luca Barbieri
2010-08-19 19:06   ` [tip:x86/urgent] x86, asm: Refactor atomic64_386_32.S to support old binutils and be cleaner D. Stussy
2010-08-19 21:23     ` H. Peter Anvin
2010-08-20  8:21       ` Ingo Molnar
2010-08-25  0:37 ` [tip:x86/bios] x86, bios: By default, reserve the low 64K for all BIOSes tip-bot for H. Peter Anvin
2010-08-26  0:12   ` [tip:x86/bios] x86, bios: Make the x86 early memory reservation a kernel option tip-bot for H. Peter Anvin
2010-09-17 23:46 ` [tip:x86/idle] x86, mwait: Move mwait constants to a common header file tip-bot for H. Peter Anvin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4008e2c dfblob:fdbcc9f )
 OR (
bs:"[tip:x86/urgent] nvram: Fix write beyond end condition; prove to gcc copy is safe" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=tip-a01c7800420d2c294ca403988488a635d4087a6d@git.kernel.org \
    --to=hpa@zytor.com \
    --cc=akpm@linux-foundation.org \
    --cc=arjan@infradead.org \
    --cc=fweisbec@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-tip-commits@vger.kernel.org \
    --cc=mingo@redhat.com \
    --cc=tglx@linutronix.de \
    --cc=wim@iguana.be \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).