| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <037fc605-3401-4e68-b452-b5e4882d56bc@lechnology.com>
Date: Thu, 8 May 2025 10:03:09 -0500
From: David Lechner <david@...hnology.com>
To: Lee Jones <lee@...nel.org>, Ivan Stepchenko <sid@....spb.ru>
Cc: Pavel Machek <pavel@...nel.org>,
Jacek Anaszewski <j.anaszewski@...sung.com>, linux-leds@...r.kernel.org,
linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] leds: uleds: fix unchecked copy_to_user() in uleds_read()
On 5/8/25 9:34 AM, Lee Jones wrote:
> On Mon, 05 May 2025, Ivan Stepchenko wrote:
>
>> The copy_to_user() is annotated with __must_check, indicating that
>> its return value must be checked by the caller. Currently, uleds_read()
>> ignores it. If the userspace buffer is invalid and copy_to_user() fails,
>> the userspace application may assume it has received fresh data, while
>> in fact copying has failed. This can leave applications out of sync
>> with the actual device state.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: e381322b0190 ("leds: Introduce userspace LED class driver")
>> Signed-off-by: Ivan Stepchenko <sid@....spb.ru>
>> ---
>> drivers/leds/uleds.c | 11 +++++++----
>> 1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/leds/uleds.c b/drivers/leds/uleds.c
>> index 374a841f18c3..41bfce43136c 100644
>> --- a/drivers/leds/uleds.c
>> +++ b/drivers/leds/uleds.c
>> @@ -147,10 +147,13 @@ static ssize_t uleds_read(struct file *file, char __user *buffer, size_t count,
>> } else if (!udev->new_data && (file->f_flags & O_NONBLOCK)) {
>> retval = -EAGAIN;
>> } else if (udev->new_data) {
>> - retval = copy_to_user(buffer, &udev->brightness,
>> - sizeof(udev->brightness));
>> - udev->new_data = false;
>> - retval = sizeof(udev->brightness);
>> + if (copy_to_user(buffer, &udev->brightness,
>> + sizeof(udev->brightness))) {
>
> This is not good.
>
> Please store the result into a variable and return that instead.
Every other caller of copy_to_user() in the kernel I've seen ignores the actual
return value and returns -EFAULT, so I thought this looked correct and it was
just a quirk of copy_to_user().
>
>> + retval = -EFAULT;
>> + } else {
>> + udev->new_data = false;
>> + retval = sizeof(udev->brightness);
>> + }
>> }
>>
>> mutex_unlock(&udev->mutex);
>> --
>> 2.39.5
>>
>
Powered by blists - more mailing lists