forked from Minki/linux
ibmasm: don't write out of bounds in read handler
This read handler had a lot of custom logic and wrote outside the bounds of
the provided buffer. This could lead to kernel and userspace memory
corruption. Just use simple_read_from_buffer() with a stack buffer.
Fixes: 1da177e4c3
("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
e2a46a48b9
commit
a0341fc198
@ -507,35 +507,14 @@ static int remote_settings_file_close(struct inode *inode, struct file *file)
|
||||
static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
|
||||
{
|
||||
void __iomem *address = (void __iomem *)file->private_data;
|
||||
unsigned char *page;
|
||||
int retval;
|
||||
int len = 0;
|
||||
unsigned int value;
|
||||
|
||||
if (*offset < 0)
|
||||
return -EINVAL;
|
||||
if (count == 0 || count > 1024)
|
||||
return 0;
|
||||
if (*offset != 0)
|
||||
return 0;
|
||||
|
||||
page = (unsigned char *)__get_free_page(GFP_KERNEL);
|
||||
if (!page)
|
||||
return -ENOMEM;
|
||||
char lbuf[20];
|
||||
|
||||
value = readl(address);
|
||||
len = sprintf(page, "%d\n", value);
|
||||
len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
|
||||
|
||||
if (copy_to_user(buf, page, len)) {
|
||||
retval = -EFAULT;
|
||||
goto exit;
|
||||
}
|
||||
*offset += len;
|
||||
retval = len;
|
||||
|
||||
exit:
|
||||
free_page((unsigned long)page);
|
||||
return retval;
|
||||
return simple_read_from_buffer(buf, count, offset, lbuf, len);
|
||||
}
|
||||
|
||||
static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
|
||||
|
Loading…
Reference in New Issue
Block a user