lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250508143451.GQ3865826@google.com>
Date: Thu, 8 May 2025 15:34:51 +0100
From: Lee Jones <lee@...nel.org>
To: Ivan Stepchenko <sid@....spb.ru>
Cc: Pavel Machek <pavel@...nel.org>, David Lechner <david@...hnology.com>,
	Jacek Anaszewski <j.anaszewski@...sung.com>,
	linux-leds@...r.kernel.org, linux-kernel@...r.kernel.org,
	lvc-project@...uxtesting.org
Subject: Re: [PATCH] leds: uleds: fix unchecked copy_to_user() in uleds_read()

On Mon, 05 May 2025, Ivan Stepchenko wrote:

> The copy_to_user() is annotated with __must_check, indicating that
> its return value must be checked by the caller. Currently, uleds_read()
> ignores it. If the userspace buffer is invalid and copy_to_user() fails,
> the userspace application may assume it has received fresh data, while
> in fact copying has failed. This can leave applications out of sync
> with the actual device state.
> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: e381322b0190 ("leds: Introduce userspace LED class driver")
> Signed-off-by: Ivan Stepchenko <sid@....spb.ru>
> ---
>  drivers/leds/uleds.c | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/drivers/leds/uleds.c b/drivers/leds/uleds.c
> index 374a841f18c3..41bfce43136c 100644
> --- a/drivers/leds/uleds.c
> +++ b/drivers/leds/uleds.c
> @@ -147,10 +147,13 @@ static ssize_t uleds_read(struct file *file, char __user *buffer, size_t count,
>  		} else if (!udev->new_data && (file->f_flags & O_NONBLOCK)) {
>  			retval = -EAGAIN;
>  		} else if (udev->new_data) {
> -			retval = copy_to_user(buffer, &udev->brightness,
> -					      sizeof(udev->brightness));
> -			udev->new_data = false;
> -			retval = sizeof(udev->brightness);
> +			if (copy_to_user(buffer, &udev->brightness,
> +					 sizeof(udev->brightness))) {

This is not good.

Please store the result into a variable and return that instead.

> +				retval = -EFAULT;
> +			} else {
> +				udev->new_data = false;
> +				retval = sizeof(udev->brightness);
> +			}
>  		}
>  
>  		mutex_unlock(&udev->mutex);
> -- 
> 2.39.5
> 

-- 
Lee Jones [李琼斯]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ