lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <037fc605-3401-4e68-b452-b5e4882d56bc@lechnology.com>
Date: Thu, 8 May 2025 10:03:09 -0500
From: David Lechner <david@...hnology.com>
To: Lee Jones <lee@...nel.org>, Ivan Stepchenko <sid@....spb.ru>
Cc: Pavel Machek <pavel@...nel.org>,
 Jacek Anaszewski <j.anaszewski@...sung.com>, linux-leds@...r.kernel.org,
 linux-kernel@...r.kernel.org, lvc-project@...uxtesting.org
Subject: Re: [PATCH] leds: uleds: fix unchecked copy_to_user() in uleds_read()

On 5/8/25 9:34 AM, Lee Jones wrote:
> On Mon, 05 May 2025, Ivan Stepchenko wrote:
> 
>> The copy_to_user() is annotated with __must_check, indicating that
>> its return value must be checked by the caller. Currently, uleds_read()
>> ignores it. If the userspace buffer is invalid and copy_to_user() fails,
>> the userspace application may assume it has received fresh data, while
>> in fact copying has failed. This can leave applications out of sync
>> with the actual device state.
>>
>> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>>
>> Fixes: e381322b0190 ("leds: Introduce userspace LED class driver")
>> Signed-off-by: Ivan Stepchenko <sid@....spb.ru>
>> ---
>>  drivers/leds/uleds.c | 11 +++++++----
>>  1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/leds/uleds.c b/drivers/leds/uleds.c
>> index 374a841f18c3..41bfce43136c 100644
>> --- a/drivers/leds/uleds.c
>> +++ b/drivers/leds/uleds.c
>> @@ -147,10 +147,13 @@ static ssize_t uleds_read(struct file *file, char __user *buffer, size_t count,
>>  		} else if (!udev->new_data && (file->f_flags & O_NONBLOCK)) {
>>  			retval = -EAGAIN;
>>  		} else if (udev->new_data) {
>> -			retval = copy_to_user(buffer, &udev->brightness,
>> -					      sizeof(udev->brightness));
>> -			udev->new_data = false;
>> -			retval = sizeof(udev->brightness);
>> +			if (copy_to_user(buffer, &udev->brightness,
>> +					 sizeof(udev->brightness))) {
> 
> This is not good.
> 
> Please store the result into a variable and return that instead.

Every other caller of copy_to_user() in the kernel I've seen ignores the actual
return value and returns -EFAULT, so I thought this looked correct and it was
just a quirk of copy_to_user().

> 
>> +				retval = -EFAULT;
>> +			} else {
>> +				udev->new_data = false;
>> +				retval = sizeof(udev->brightness);
>> +			}
>>  		}
>>  
>>  		mutex_unlock(&udev->mutex);
>> -- 
>> 2.39.5
>>
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ