lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <193d36b0-961a-4b66-b945-37988f157ebe@moroto.mountain>
Date: Tue, 13 Feb 2024 21:09:41 +0300
From: Dan Carpenter <dan.carpenter@...aro.org>
To: Damian Muszynski <damian.muszynski@...el.com>
Cc: Giovanni Cabiddu <giovanni.cabiddu@...el.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	"David S. Miller" <davem@...emloft.net>,
	Lucas Segarra Fernandez <lucas.segarra.fernandez@...el.com>,
	Tero Kristo <tero.kristo@...ux.intel.com>,
	Dan Carpenter <dan.carpenter@...aro.org>,
	Markas Rapoportas <markas.rapoportas@...el.com>,
	qat-linux@...el.com, linux-crypto@...r.kernel.org,
	linux-kernel@...r.kernel.org, kernel-janitors@...r.kernel.org
Subject: [PATCH] crypto: qat - uninitialized variable in
 adf_hb_error_inject_write()

There are a few issues in this code.  If *ppos is non-zero then the
first part of the buffer is not initialized.  We never initialize the
last character of the buffer.  The return is not checked so it's
possible that none of the buffer is initialized.

This is debugfs code which is root only and the impact of these bugs is
very small.  However, it's still worth fixing.  To fix this:
1) Check that *ppos is zero.
2) Use copy_from_user() instead of simple_write_to_buffer().
3) Explicitly add a NUL terminator.

Fixes: e2b67859ab6e ("crypto: qat - add heartbeat error simulator")
Signed-off-by: Dan Carpenter <dan.carpenter@...aro.org>
---
 .../crypto/intel/qat/qat_common/adf_heartbeat_dbgfs.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/drivers/crypto/intel/qat/qat_common/adf_heartbeat_dbgfs.c b/drivers/crypto/intel/qat/qat_common/adf_heartbeat_dbgfs.c
index 5cd6c2d6f90a..cccdff24b48d 100644
--- a/drivers/crypto/intel/qat/qat_common/adf_heartbeat_dbgfs.c
+++ b/drivers/crypto/intel/qat/qat_common/adf_heartbeat_dbgfs.c
@@ -160,16 +160,17 @@ static ssize_t adf_hb_error_inject_write(struct file *file,
 					 size_t count, loff_t *ppos)
 {
 	struct adf_accel_dev *accel_dev = file->private_data;
-	size_t written_chars;
 	char buf[3];
 	int ret;
 
 	/* last byte left as string termination */
-	if (count != 2)
+	if (*ppos != 0 || count != 2)
 		return -EINVAL;
 
-	written_chars = simple_write_to_buffer(buf, sizeof(buf) - 1,
-					       ppos, user_buf, count);
+	if (copy_from_user(buf, user_buf, count))
+		return -EFAULT;
+	buf[count] = '\0';
+
 	if (buf[0] != '1')
 		return -EINVAL;
 
@@ -183,7 +184,7 @@ static ssize_t adf_hb_error_inject_write(struct file *file,
 
 	dev_info(&GET_DEV(accel_dev), "Heartbeat error injection enabled\n");
 
-	return written_chars;
+	return count;
 }
 
 static const struct file_operations adf_hb_error_inject_fops = {
-- 
2.43.0


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ