From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
From: Sasha Levin <Alexander.Levin@microsoft.com>
To: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
        "stable@vger.kernel.org" <stable@vger.kernel.org>
CC: Michael Mera <dev@michaelmera.com>,
        Kalle Valo <kvalo@qca.qualcomm.com>,
        Sasha Levin <Alexander.Levin@microsoft.com>
Subject: [PATCH AUTOSEL for 4.9 149/190] ath10k: fix out of bounds access to
 local buffer
Date: Thu, 8 Mar 2018 04:59:57 +0000
Message-ID: <20180308045810.8041-149-alexander.levin@microsoft.com>
References: <20180308045810.8041-1-alexander.levin@microsoft.com>
In-Reply-To: <20180308045810.8041-1-alexander.levin@microsoft.com>
Content-Language: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

From: Michael Mera <dev@michaelmera.com>

[ Upstream commit a16703aaeaedec7a8bee5be5522c7c3e75478951 ]

During write to debugfs file simulate_fw_crash, fixed-size local buffer
'buf' is accessed and modified at index 'count-1', where 'count' is the
size of the write (so potentially out of bounds).
This patch fixes this problem.

Signed-off-by: Michael Mera <dev@michaelmera.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
 drivers/net/wireless/ath/ath10k/debug.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless=
/ath/ath10k/debug.c
index 82a4c67f3672..4b3e70df223e 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -624,17 +624,21 @@ static ssize_t ath10k_write_simulate_fw_crash(struct =
file *file,
 					      size_t count, loff_t *ppos)
 {
 	struct ath10k *ar =3D file->private_data;
-	char buf[32];
+	char buf[32] =3D {0};
+	ssize_t rc;
 	int ret;
=20
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
+	/* filter partial writes and invalid commands */
+	if (*ppos !=3D 0 || count >=3D sizeof(buf) || count =3D=3D 0)
+		return -EINVAL;
=20
-	/* make sure that buf is null terminated */
-	buf[sizeof(buf) - 1] =3D 0;
+	rc =3D simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count=
);
+	if (rc < 0)
+		return rc;
=20
 	/* drop the possible '\n' from the end */
-	if (buf[count - 1] =3D=3D '\n')
-		buf[count - 1] =3D 0;
+	if (buf[*ppos - 1] =3D=3D '\n')
+		buf[*ppos - 1] =3D '\0';
=20
 	mutex_lock(&ar->conf_mutex);
=20
--=20
2.14.1