[ Upstream commit
86674a97f5055f4c7f406563408096e8cf9364ff ]
In ca8210_test_int_user_write() a user can request the transfer of a
frame with a length field (command.length) that is longer than the
actual buffer provided (len). In this scenario the driver will copy
the buffer contents into the uninitialised command[] buffer, then
transfer <data.length> bytes over the SPI even though only <len> bytes
had been populated, potentially leaking sensitive kernel memory.
Also the first 6 bytes of the command buffer must be initialised in case
a malformed, short packet is written and the uninitialised bytes are
read in ca8210_test_check_upstream.
Reported-by: Domen Puncer Kugler <domen.puncer@samsung.com>
Signed-off-by: Harry Morris <h.morris@cascoda.com>
Tested-by: Harry Morris <h.morris@cascoda.com>
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
struct ca8210_priv *priv = filp->private_data;
u8 command[CA8210_SPI_BUF_SIZE];
- if (len > CA8210_SPI_BUF_SIZE) {
+ memset(command, SPI_IDLE, 6);
+ if (len > CA8210_SPI_BUF_SIZE || len < 2) {
dev_warn(
&priv->spi->dev,
- "userspace requested erroneously long write (%zu)\n",
+ "userspace requested erroneous write length (%zu)\n",
len
);
- return -EMSGSIZE;
+ return -EBADE;
}
ret = copy_from_user(command, in_buf, len);
);
return -EIO;
}
+ if (len != command[1] + 2) {
+ dev_err(
+ &priv->spi->dev,
+ "write len does not match packet length field\n"
+ );
+ return -EBADE;
+ }
ret = ca8210_test_check_upstream(command, priv->spi);
if (ret == 0) {
projects / platform / kernel / linux-rpi.git / commitdiff