From 54266260d483ab4476510dd4461a1cafc611e17d Mon Sep 17 00:00:00 2001 Message-Id: <54266260d483ab4476510dd4461a1cafc611e17d.1586266224.git.amit.kucheria@linaro.org> From: Amit Kucheria Date: Tue, 7 Apr 2020 18:48:14 +0530 Subject: [PATCH] thermal: Reject invalid cur_state input from userspace We don't check if the cur_state value input in sysfs is greater than the maximum cooling state that the cooling device supports. This can cause access to unallocated memory in case THERMAL_STATISTICS in enabled and could also crash cooling devices that don't check for an invalid state in their set_cur_state() callback. Return an error if the state being requested in greater than the maximum cooling state the device supports. Reported-by: Takashi Iwai Signed-off-by: Amit Kucheria --- drivers/thermal/thermal_sysfs.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/drivers/thermal/thermal_sysfs.c b/drivers/thermal/thermal_sysfs.c index 7e1d11bdd258..8033e5a9386a 100644 --- a/drivers/thermal/thermal_sysfs.c +++ b/drivers/thermal/thermal_sysfs.c @@ -703,7 +703,7 @@ cur_state_store(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { struct thermal_cooling_device *cdev = to_cooling_device(dev); - unsigned long state; + unsigned long state, max_state; int result; if (sscanf(buf, "%ld\n", &state) != 1) @@ -712,6 +712,13 @@ cur_state_store(struct device *dev, struct device_attribute *attr, if ((long)state < 0) return -EINVAL; + result = cdev->ops->get_max_state(cdev, &max_state); + if (result) + return result; + + if (state >= max_state) + return -EINVAL; + mutex_lock(&cdev->lock); result = cdev->ops->set_cur_state(cdev, state); -- 2.20.1