projects / platform / kernel / linux-starfive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0811ff4)
Bluetooth: vhci: Fix info leak in force_devcd_write()
authorDan Carpenter <error27@gmail.com>
Thu, 6 Apr 2023 08:55:17 +0000 (11:55 +0300)
committerLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
Mon, 24 Apr 2023 05:02:57 +0000 (22:02 -0700)
There are a number of bugs here:

1) If "count" is less than sizeof(dump_data.data) then it copies
   uninitialized data.
2) If simple_write_to_buffer() returns -EFAULT then we run into a
   problem "ret < count" comparison.  "count" is an unsigned long so the
   comparison is type promoted to unsigned long and the negative returns
   become high positive values.  That also results in copying
   uninitialized data.
3) If "*ppos" is non-zero then the first part of the dump_data
   buffer is uninitialized.  Using copy_from_user() instead of
   simple_write_to_buffer() is more appropriate here.

Fixes: d5d5df6da0aa ("Bluetooth: Add vhci devcoredump support")
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
drivers/bluetooth/hci_vhci.c patch | blob | history

diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c
index 691fe93..40e2b9f 100644 (file)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -323,17 +323,21 @@ static ssize_t force_devcd_write(struct file *file, const char __user *user_buf,
        struct hci_dev *hdev = data->hdev;
        struct sk_buff *skb = NULL;
        struct devcoredump_test_data dump_data;
+       size_t data_size;
        int ret;
 
-       ret = simple_write_to_buffer(&dump_data, sizeof(dump_data), ppos,
-                                    user_buf, count);
-       if (ret < count)
-               return ret;
+       if (count < offsetof(struct devcoredump_test_data, data) ||
+           count > sizeof(dump_data))
+               return -EINVAL;
+
+       if (copy_from_user(&dump_data, user_buf, count))
+               return -EFAULT;
 
-       skb = alloc_skb(sizeof(dump_data.data), GFP_ATOMIC);
+       data_size = count - offsetof(struct devcoredump_test_data, data);
+       skb = alloc_skb(data_size, GFP_ATOMIC);
        if (!skb)
                return -ENOMEM;
-       skb_put_data(skb, &dump_data.data, sizeof(dump_data.data));
+       skb_put_data(skb, &dump_data.data, data_size);
 
        hci_devcd_register(hdev, vhci_coredump, vhci_coredump_hdr, NULL);
 
Domain: System / Kernel;