Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2042757imm; Mon, 16 Jul 2018 00:45:13 -0700 (PDT) X-Google-Smtp-Source: AAOMgpeZjN2E1RLNxxiGnmibbRo8odQy/86yCzWniqi/L1lPF13lePlgNwPmFEBi8MGIVa3sCv41 X-Received: by 2002:a17:902:7688:: with SMTP id m8-v6mr15585332pll.338.1531727113897; Mon, 16 Jul 2018 00:45:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531727113; cv=none; d=google.com; s=arc-20160816; b=ZYjbTxO9j0ZcE7oNKVmyg3ODEX9lJdRrYr4M+oknQdluRZHU7FNQ1So7YYtHTLEA8M UIjkinULV3FcYAhQgq6z+OG0zRdGts3rQqQEIeS27vU46XrZyivgUPFdzhRmP9bSOcBH NzUplLtUsXxe5495xCRm7mzAOkToNhKJppgJNV12OfZBxJHLLM9XBF94rDFRVm0K7OGa 6hhnN7X1+9wlXKPoOxNL7IXIWVdJNA1t3N5D3XISDkIDPUe1Jixo4zUi8oxaIITmxU9T aEJ8lMTCdZckIOVFioFUpgqkJp8whV2tytqZCQICQn5leqzlX3Jr6Hj9IdzIRHajW57k mttw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=5IWBdCs6E9dsLpdZrVVbNyIlLyYY8EMqRrmcScWEHss=; b=mHQEo0itco8HjhNrFztWPLqPI1tgEBsBZU0QHmIb8QCLIAYqVmopwfAbwilVgwA1mL VTmiB5HFpH80BoqbQbm5liZVIXM+Gx9M+domTUGG1ioO0p4dKBGHOZaBP3QWg/o35ORs YbQ3Y7/GaPgEa6Ero0bAUHmSdoHQh/KV4SD+ym7VusKxULeYJgmib6gfcWYR6CNrIpYt Qfv05mYXB8sayn2FAkACJHTfftaPjUzDNnxzaWS3Vx6HuZYGQhJtbTLsIPjEgNsGRZDv iYCv2sIxoxX6jRKu6gwV44liJJicTgnq2PK8xbbMeH2uqLrCFJc8Q66d1901b+iwa61R Xp6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x1-v6si12589676pge.521.2018.07.16.00.44.58; Mon, 16 Jul 2018 00:45:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389339AbeGPIK2 (ORCPT + 99 others); Mon, 16 Jul 2018 04:10:28 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:48196 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388522AbeGPIK1 (ORCPT ); Mon, 16 Jul 2018 04:10:27 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E3F5CCA4; Mon, 16 Jul 2018 07:44:23 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn Subject: [PATCH 4.4 02/43] ibmasm: dont write out of bounds in read handler Date: Mon, 16 Jul 2018 09:36:07 +0200 Message-Id: <20180716073512.023441499@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180716073511.796555857@linuxfoundation.org> References: <20180716073511.796555857@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jann Horn commit a0341fc1981a950c1e902ab901e98f60e0e243f3 upstream. This read handler had a lot of custom logic and wrote outside the bounds of the provided buffer. This could lead to kernel and userspace memory corruption. Just use simple_read_from_buffer() with a stack buffer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Jann Horn Signed-off-by: Greg Kroah-Hartman --- drivers/misc/ibmasm/ibmasmfs.c | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) --- a/drivers/misc/ibmasm/ibmasmfs.c +++ b/drivers/misc/ibmasm/ibmasmfs.c @@ -507,35 +507,14 @@ static int remote_settings_file_close(st static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset) { void __iomem *address = (void __iomem *)file->private_data; - unsigned char *page; - int retval; int len = 0; unsigned int value; - - if (*offset < 0) - return -EINVAL; - if (count == 0 || count > 1024) - return 0; - if (*offset != 0) - return 0; - - page = (unsigned char *)__get_free_page(GFP_KERNEL); - if (!page) - return -ENOMEM; + char lbuf[20]; value = readl(address); - len = sprintf(page, "%d\n", value); - - if (copy_to_user(buf, page, len)) { - retval = -EFAULT; - goto exit; - } - *offset += len; - retval = len; + len = snprintf(lbuf, sizeof(lbuf), "%d\n", value); -exit: - free_page((unsigned long)page); - return retval; + return simple_read_from_buffer(buf, count, offset, lbuf, len); } static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)