* [patch] libertas: potential oops in debugfs [not found] <20131025144452.GA28451@ngolde.de> @ 2013-10-29 19:06 ` Dan Carpenter 2013-10-29 20:09 ` Dan Carpenter 2013-10-30 17:12 ` [patch v2] " Dan Carpenter 1 sibling, 1 reply; 4+ messages in thread From: Dan Carpenter @ 2013-10-29 19:06 UTC (permalink / raw) To: John W. Linville Cc: libertas-dev, linux-wireless, netdev, security, Nico Golde, Fabian Yamaguchi If we do a zero size write then it will oops. This can only be triggered by root. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c index 668dd27..a148f14 100644 --- a/drivers/net/wireless/libertas/debugfs.c +++ b/drivers/net/wireless/libertas/debugfs.c @@ -913,6 +913,9 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, char *p2; struct debug_data *d = f->private_data; + if (cnt == 0) + return 0; + pdata = kmalloc(cnt, GFP_KERNEL); if (pdata == NULL) return 0; ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch] libertas: potential oops in debugfs 2013-10-29 19:06 ` [patch] libertas: potential oops in debugfs Dan Carpenter @ 2013-10-29 20:09 ` Dan Carpenter 0 siblings, 0 replies; 4+ messages in thread From: Dan Carpenter @ 2013-10-29 20:09 UTC (permalink / raw) To: John W. Linville Cc: libertas-dev, linux-wireless, netdev, security, Nico Golde, Fabian Yamaguchi On Tue, Oct 29, 2013 at 10:06:41PM +0300, Dan Carpenter wrote: > If we do a zero size write then it will oops. This can only be > triggered by root. > This one isn't right... Sorry for that. We do need to fix the while loop. I wasn't thinking. I will resend. regards, dan carpenter ^ permalink raw reply [flat|nested] 4+ messages in thread
* [patch v2] libertas: potential oops in debugfs [not found] <20131025144452.GA28451@ngolde.de> 2013-10-29 19:06 ` [patch] libertas: potential oops in debugfs Dan Carpenter @ 2013-10-30 17:12 ` Dan Carpenter 2013-10-30 19:51 ` Dan Williams 1 sibling, 1 reply; 4+ messages in thread From: Dan Carpenter @ 2013-10-30 17:12 UTC (permalink / raw) To: John W. Linville Cc: libertas-dev, linux-wireless, netdev, linux-kernel, kernel-janitors If we do a zero size allocation then it will oops. Also we can't be sure the user passes us a NUL terminated string so I've added a terminator. This code can only be triggered by root. Reported-by: Nico Golde <nico@ngolde.de> Reported-by: Fabian Yamaguchi <fabs@goesec.de> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c index 668dd27..1917348 100644 --- a/drivers/net/wireless/libertas/debugfs.c +++ b/drivers/net/wireless/libertas/debugfs.c @@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, char *p2; struct debug_data *d = f->private_data; - pdata = kmalloc(cnt, GFP_KERNEL); + if (cnt == 0) + return 0; + + pdata = kmalloc(cnt + 1, GFP_KERNEL); if (pdata == NULL) return 0; @@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, kfree(pdata); return 0; } + pdata[cnt] = '\0'; p0 = pdata; for (i = 0; i < num_of_items; i++) { ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch v2] libertas: potential oops in debugfs 2013-10-30 17:12 ` [patch v2] " Dan Carpenter @ 2013-10-30 19:51 ` Dan Williams 0 siblings, 0 replies; 4+ messages in thread From: Dan Williams @ 2013-10-30 19:51 UTC (permalink / raw) To: Dan Carpenter Cc: John W. Linville, libertas-dev, linux-wireless, netdev, linux-kernel, kernel-janitors On Wed, 2013-10-30 at 20:12 +0300, Dan Carpenter wrote: > If we do a zero size allocation then it will oops. Also we can't be > sure the user passes us a NUL terminated string so I've added a > terminator. > > This code can only be triggered by root. > > Reported-by: Nico Golde <nico@ngolde.de> > Reported-by: Fabian Yamaguchi <fabs@goesec.de> > Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Dan Williams <dcbw@redhat.com> > > diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c > index 668dd27..1917348 100644 > --- a/drivers/net/wireless/libertas/debugfs.c > +++ b/drivers/net/wireless/libertas/debugfs.c > @@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, > char *p2; > struct debug_data *d = f->private_data; > > - pdata = kmalloc(cnt, GFP_KERNEL); > + if (cnt == 0) > + return 0; > + > + pdata = kmalloc(cnt + 1, GFP_KERNEL); > if (pdata == NULL) > return 0; > > @@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, > kfree(pdata); > return 0; > } > + pdata[cnt] = '\0'; > > p0 = pdata; > for (i = 0; i < num_of_items; i++) { > -- > To unsubscribe from this list: send the line "unsubscribe linux-wireless" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-10-30 19:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20131025144452.GA28451@ngolde.de>
2013-10-29 19:06 ` [patch] libertas: potential oops in debugfs Dan Carpenter
2013-10-29 20:09 ` Dan Carpenter
2013-10-30 17:12 ` [patch v2] " Dan Carpenter
2013-10-30 19:51 ` Dan Williams
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).