Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2042027imm; Mon, 16 Jul 2018 00:44:07 -0700 (PDT) X-Google-Smtp-Source: AAOMgpee4OhMW+8kkoBsDzVmCZ/FFoG52VvJN0NoJABeCIiTbqS4lybV9IkI1i/Lv+3xDzZB2QxT X-Received: by 2002:a63:214f:: with SMTP id s15-v6mr14439611pgm.267.1531727047201; Mon, 16 Jul 2018 00:44:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531727047; cv=none; d=google.com; s=arc-20160816; b=BwkNN6T6tjTIv8211ezYTL/UJG3qP4pGgNCht26jkeyUAdAMeBBi/gDMUVGPpYpYfn EvfK8yxoCzVA/KcRH3qhm2q9t8xtyvvZFsnwVGrOYXspee56cP6ucAXWV5/Tft+PokwB OW/BUVEfJVvLQWbdxrvvLi8Wp01i5iYakfSXyrKDeEsXv39Uy+PbhOBqlLbIE7vpBcm4 AfaW5md8MpclN0GNO0/y3mH8mFzdKQtXsqkZ6BSkPgmwtGebY5WFx4FiS0YJMRuTuSiR f+l364GCgrnxEE2/i5d5hLLwr/mVuuEp3irE1BuO1eG3e0hwrvOe9FurBei0sOUqUOLg Ggzw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=7Bb0RnzoZZIasvrB5NkYvgndGKe2ne2iZEpwCK6ng/E=; b=uI+ar2rHdA3Vfm/CcIP+Pi8ZUM5vwm3FXhv7ofowKApQ/mXnQ9k2KX2NgeOmy3w6Qo oCs9kpL86WmsUzdDlWmekeNmAa/OBWj11uR3jvApXTnU3H1fH3BhLbv3mp5KlvII5xfQ wL8itiOZzXDfxsjsx0VedAqBCLqgDuEiODDlzK9DUOzvSFdMjluQ/b3nhqISIu21SXVR HQxI1IpnL7WcP01EI/Pdkh9s3FL3uQsvBq9qNVUhDISPT1w9ibz87pydljXWDwu6EXC6 JzJTJaAln6Qmrs8rWrfDaM2pubYO8rWjSBWqhuj/46tvZzAfJgiy2Q9iVj/jh/lgrWWd 8ImQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id q16-v6si17161871pgg.619.2018.07.16.00.43.52; Mon, 16 Jul 2018 00:44:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388826AbeGPIIn (ORCPT + 99 others); Mon, 16 Jul 2018 04:08:43 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:47834 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730161AbeGPIIm (ORCPT ); Mon, 16 Jul 2018 04:08:42 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 0A92DCA0; Mon, 16 Jul 2018 07:42:39 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn Subject: [PATCH 4.9 06/32] ibmasm: dont write out of bounds in read handler Date: Mon, 16 Jul 2018 09:36:14 +0200 Message-Id: <20180716073505.229291390@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180716073504.433996952@linuxfoundation.org> References: <20180716073504.433996952@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream. This read handler had a lot of custom logic and wrote outside the bounds of the provided buffer. This could lead to kernel and userspace memory corruption. Just use simple_read_from_buffer() with a stack buffer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman --- drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) --- a/drivers/misc/ibmasm/ibmasmfs.c +++ b/drivers/misc/ibmasm/ibmasmfs.c @@ -507,35 +507,14 @@ static int remote_settings_file_close(st static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset) { void __iomem *address = (void __iomem *)file->private_data; - unsigned char *page; - int retval; int len = 0; unsigned int value; - - if (*offset < 0) - return -EINVAL; - if (count == 0 || count > 1024) - return 0; - if (*offset != 0) - return 0; - - page = (unsigned char *)__get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; + char lbuf[20]; value = readl(address); - len = sprintf(page, "%d\n", value); - - if (copy_to_user(buf, page, len)) { - retval = -EFAULT; - goto exit; - } - *offset += len; - retval = len; + len = snprintf(lbuf, sizeof(lbuf), "%d\n", value); -exit: - free_page((unsigned long)page); - return retval; + return simple_read_from_buffer(buf, count, offset, lbuf, len); } static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)