Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2038217imm; Mon, 16 Jul 2018 00:38:39 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfbK0psD/LTiaMXll+mHVasoPPCNyiY93BvtuqttIJqyFFb8j2Z65MYvNJuVW4PP5ZZeLGW X-Received: by 2002:a63:686:: with SMTP id 128-v6mr14390398pgg.338.1531726719348; Mon, 16 Jul 2018 00:38:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531726719; cv=none; d=google.com; s=arc-20160816; b=zOg2qmoXhbXZM2lMKzYi/yV9LVpq8NivFutM2jA2YJ2giGzRLMvbBKtoFjaAXot0fK HjDrU6UTWUPm5uZIAd9VPRjBUsxkiNN4n9OtoTS1t4AZPDdhdtu3RVF3n1iwAQd2Nb7L X4/A4XSmAXST6zglPFLhM63ydG4KC39TcYjaj+isQysA8UzYqmsVCvhWine4Tz7SYHxC Dp+NBVX9j3IDDQHdG6wNXK3OjWaVZZZMouNGyj+XyM8TRDuIyt+qJoLr2RPzFS3nVIAx lulLnKaznHbtuy4cOptRyogFli5NFVX3R9u6NoXQWfaFc+w+DYAiBSPNCzkzbDGP+IxH r7zg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=7g3BCKKPJQMCmxSFjfWNi0n2+XDfxStwCLoCLO/M7FY=; b=mwVI1/PZz7492m3a1z4Gjx9Ise3LI+xgpDXQDkxSpwqWFYjZgAx+6xmHP2GTRMURZw m2nrBgqTm8P4etxtkj0gPBgPPgBh5zmc1r5ttnadKX2vKwYeWnVAEZa4Nw3bDuA3A5+D MPF3I3/Tpz6/QVoYZbAbhaCqBA6D7cDg6T8KGSyuAYXOF4FhPFIf17PwbbRMG+SwyKHQ grF5jkxsM3ajp+puQ2zUQXPb4JuROjqbQRUgv8EnKsfLTXlvENwQsOfQToT1vu3XQvP7 Fu9h8ckhr/QFwXLiEDhR8XT6bnL254iM+ybNpH54HFwrZtaNoG4EZQdFor4QcfO1JUcT x6rQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h11-v6si20674932pgf.558.2018.07.16.00.38.24; Mon, 16 Jul 2018 00:38:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731209AbeGPIDF (ORCPT + 99 others); Mon, 16 Jul 2018 04:03:05 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:46650 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728460AbeGPIDF (ORCPT ); Mon, 16 Jul 2018 04:03:05 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 5355CCA0; Mon, 16 Jul 2018 07:37:04 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn Subject: [PATCH 4.17 12/67] ibmasm: dont write out of bounds in read handler Date: Mon, 16 Jul 2018 09:34:41 +0200 Message-Id: <20180716073444.989857144@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180716073443.294323458@linuxfoundation.org> References: <20180716073443.294323458@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.17-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream. This read handler had a lot of custom logic and wrote outside the bounds of the provided buffer. This could lead to kernel and userspace memory corruption. Just use simple_read_from_buffer() with a stack buffer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman --- drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) --- a/drivers/misc/ibmasm/ibmasmfs.c +++ b/drivers/misc/ibmasm/ibmasmfs.c @@ -507,35 +507,14 @@ static int remote_settings_file_close(st static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset) { void __iomem *address = (void __iomem *)file->private_data; - unsigned char *page; - int retval; int len = 0; unsigned int value; - - if (*offset < 0) - return -EINVAL; - if (count == 0 || count > 1024) - return 0; - if (*offset != 0) - return 0; - - page = (unsigned char *)__get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; + char lbuf[20]; value = readl(address); - len = sprintf(page, "%d\n", value); - - if (copy_to_user(buf, page, len)) { - retval = -EFAULT; - goto exit; - } - *offset += len; - retval = len; + len = snprintf(lbuf, sizeof(lbuf), "%d\n", value); -exit: - free_page((unsigned long)page); - return retval; + return simple_read_from_buffer(buf, count, offset, lbuf, len); } static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)