* [patch] libertas: potential oops in debugfs
[not found] <20131025144452.GA28451@ngolde.de>
@ 2013-10-29 19:06 ` Dan Carpenter
2013-10-29 20:09 ` Dan Carpenter
2013-10-30 17:12 ` [patch v2] " Dan Carpenter
1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2013-10-29 19:06 UTC (permalink / raw)
To: John W. Linville
Cc: libertas-dev, linux-wireless, netdev, security, Nico Golde,
Fabian Yamaguchi
If we do a zero size write then it will oops. This can only be
triggered by root.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
index 668dd27..a148f14 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -913,6 +913,9 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
char *p2;
struct debug_data *d = f->private_data;
+ if (cnt == 0)
+ return 0;
+
pdata = kmalloc(cnt, GFP_KERNEL);
if (pdata == NULL)
return 0;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] libertas: potential oops in debugfs
2013-10-29 19:06 ` [patch] libertas: potential oops in debugfs Dan Carpenter
@ 2013-10-29 20:09 ` Dan Carpenter
0 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2013-10-29 20:09 UTC (permalink / raw)
To: John W. Linville
Cc: libertas-dev, linux-wireless, netdev, security, Nico Golde,
Fabian Yamaguchi
On Tue, Oct 29, 2013 at 10:06:41PM +0300, Dan Carpenter wrote:
> If we do a zero size write then it will oops. This can only be
> triggered by root.
>
This one isn't right... Sorry for that. We do need to fix the while
loop. I wasn't thinking.
I will resend.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* [patch v2] libertas: potential oops in debugfs
[not found] <20131025144452.GA28451@ngolde.de>
2013-10-29 19:06 ` [patch] libertas: potential oops in debugfs Dan Carpenter
@ 2013-10-30 17:12 ` Dan Carpenter
2013-10-30 19:51 ` Dan Williams
1 sibling, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2013-10-30 17:12 UTC (permalink / raw)
To: John W. Linville
Cc: libertas-dev, linux-wireless, netdev, linux-kernel,
kernel-janitors
If we do a zero size allocation then it will oops. Also we can't be
sure the user passes us a NUL terminated string so I've added a
terminator.
This code can only be triggered by root.
Reported-by: Nico Golde <nico@ngolde.de>
Reported-by: Fabian Yamaguchi <fabs@goesec.de>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
index 668dd27..1917348 100644
--- a/drivers/net/wireless/libertas/debugfs.c
+++ b/drivers/net/wireless/libertas/debugfs.c
@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
char *p2;
struct debug_data *d = f->private_data;
- pdata = kmalloc(cnt, GFP_KERNEL);
+ if (cnt == 0)
+ return 0;
+
+ pdata = kmalloc(cnt + 1, GFP_KERNEL);
if (pdata == NULL)
return 0;
@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
kfree(pdata);
return 0;
}
+ pdata[cnt] = '\0';
p0 = pdata;
for (i = 0; i < num_of_items; i++) {
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch v2] libertas: potential oops in debugfs
2013-10-30 17:12 ` [patch v2] " Dan Carpenter
@ 2013-10-30 19:51 ` Dan Williams
0 siblings, 0 replies; 4+ messages in thread
From: Dan Williams @ 2013-10-30 19:51 UTC (permalink / raw)
To: Dan Carpenter
Cc: John W. Linville, libertas-dev, linux-wireless, netdev,
linux-kernel, kernel-janitors
On Wed, 2013-10-30 at 20:12 +0300, Dan Carpenter wrote:
> If we do a zero size allocation then it will oops. Also we can't be
> sure the user passes us a NUL terminated string so I've added a
> terminator.
>
> This code can only be triggered by root.
>
> Reported-by: Nico Golde <nico@ngolde.de>
> Reported-by: Fabian Yamaguchi <fabs@goesec.de>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Dan Williams <dcbw@redhat.com>
>
> diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c
> index 668dd27..1917348 100644
> --- a/drivers/net/wireless/libertas/debugfs.c
> +++ b/drivers/net/wireless/libertas/debugfs.c
> @@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
> char *p2;
> struct debug_data *d = f->private_data;
>
> - pdata = kmalloc(cnt, GFP_KERNEL);
> + if (cnt == 0)
> + return 0;
> +
> + pdata = kmalloc(cnt + 1, GFP_KERNEL);
> if (pdata == NULL)
> return 0;
>
> @@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf,
> kfree(pdata);
> return 0;
> }
> + pdata[cnt] = '\0';
>
> p0 = pdata;
> for (i = 0; i < num_of_items; i++) {
> --
> To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-10-30 19:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20131025144452.GA28451@ngolde.de>
2013-10-29 19:06 ` [patch] libertas: potential oops in debugfs Dan Carpenter
2013-10-29 20:09 ` Dan Carpenter
2013-10-30 17:12 ` [patch v2] " Dan Carpenter
2013-10-30 19:51 ` Dan Williams
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).