Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp1359658imm; Tue, 2 Oct 2018 07:04:45 -0700 (PDT) X-Google-Smtp-Source: ACcGV61B2GKmitagc9qjJtosl0g/uO9zBVNksBxniTExo8+R1pyn8w9kL2ZySJOnzOoDa3EZDmW1 X-Received: by 2002:a63:ee43:: with SMTP id n3-v6mr9434846pgk.234.1538489085631; Tue, 02 Oct 2018 07:04:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538489085; cv=none; d=google.com; s=arc-20160816; b=K740fmw6waeetZzTNL38xiXj62z9aFCrh+qU7SzQbuETN1WW+jJ468t6aNw4eYmR1N brRkjZLWITEBSLephDDXEiGn4rJAZCje6sa70CKedfLGImkOIPzNNgKfZOqmlbi9BsOS HhrzBmyWG2TBENuIjHAwUDZzhG5aRsIWt3XhY5lQArmPzNw1ueTKKVzkLLv/qSq4jjAy xhab5CnQP3oRrF5KtDlNS4Nzke4Y+y8IQzmVZPEzGAsV8Og8Kwcfqy1saCNW8aO8ZELE sa9hCyD/Ds7ZCxCrP12IKKyJ6YTJCX6Hz7c9vivXsgVow9sPuF1qVOakHB11J+ZuZ6hQ Pf9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=pbPOJbNwzshGTtIM3BTMoS1qQsCyQawrwpr4jg4cDKE=; b=A6s3LOT2KDzTgj75jQoqFwMRelqBq1DoRyj2vb6x+Bk2Ng/oXfDzjGxTs7TXm82qhU 8zdC555beN8UYk7ZfIUsBv29W6YFKL4UYHW/d28R9xfpgpJNJYkaTYkc2xh5hSb50T/m DZjjeXFNz45wMsh184moxtiCNwKpL5ZZ1qgnTPWJeKiGdgdyD9MlZAaqCSzPEjnVGthz dJESOBQY1rLw/QOaxF3+3sn5UlJJUbANJO4cymUlo5umBAcYhWDCRHc/LlKnjR1Smn3Q N0L1PVr04FMlQmBVs+T7OjLNpsc/U+04/UUXz0YSFFChlxJGnht5gzvcpz9zKzYd8U93 Rjfg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 65-v6si11384317pfd.39.2018.10.02.07.04.30; Tue, 02 Oct 2018 07:04:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730224AbeJBUNT (ORCPT + 99 others); Tue, 2 Oct 2018 16:13:19 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33316 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728940AbeJBUNS (ORCPT ); Tue, 2 Oct 2018 16:13:18 -0400 Received: from localhost (24-104-73-23-ip-static.hfc.comcastbusiness.net [24.104.73.23]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 0EACEC11; Tue, 2 Oct 2018 13:29:56 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hugo Lefeuvre , Sasha Levin Subject: [PATCH 4.18 120/228] staging: pi433: fix race condition in pi433_ioctl Date: Tue, 2 Oct 2018 06:23:37 -0700 Message-Id: <20181002132507.547176454@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181002132459.032960735@linuxfoundation.org> References: <20181002132459.032960735@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Hugo Lefeuvre [ Upstream commit 6de4ef65a8c6f53ce7eef06666410bc3b6e4b624 ] In the PI433_IOC_WR_TX_CFG case in pi433_ioctl, instance->tx_cfg is modified via copy_from_user(&instance->tx_cfg, argp, sizeof(struct pi433_tx_cfg))) without any kind of synchronization. In the case where two threads would execute this same command concurrently the tx_cfg field might enter in an inconsistent state. Additionally: if ioctl(PI433_IOC_WR_TX_CFG) and write() execute concurrently the tx config might be modified while it is being copied to the fifo, resulting in potential data corruption. Fix: Get instance->tx_cfg_lock before modifying tx config in the PI433_IOC_WR_TX_CFG case in pi433_ioctl. Also, do not copy data directly from user space to instance->tx_cfg. Instead use a temporary buffer allowing future checks for correctness of copied data and simpler code. Signed-off-by: Hugo Lefeuvre Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/staging/pi433/pi433_if.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/staging/pi433/pi433_if.c +++ b/drivers/staging/pi433/pi433_if.c @@ -880,6 +880,7 @@ pi433_ioctl(struct file *filp, unsigned int retval = 0; struct pi433_instance *instance; struct pi433_device *device; + struct pi433_tx_cfg tx_cfg; void __user *argp = (void __user *)arg; /* Check type and command number */ @@ -902,9 +903,11 @@ pi433_ioctl(struct file *filp, unsigned return -EFAULT; break; case PI433_IOC_WR_TX_CFG: - if (copy_from_user(&instance->tx_cfg, argp, - sizeof(struct pi433_tx_cfg))) + if (copy_from_user(&tx_cfg, argp, sizeof(struct pi433_tx_cfg))) return -EFAULT; + mutex_lock(&device->tx_fifo_lock); + memcpy(&instance->tx_cfg, &tx_cfg, sizeof(struct pi433_tx_cfg)); + mutex_unlock(&device->tx_fifo_lock); break; case PI433_IOC_RD_RX_CFG: if (copy_to_user(argp, &device->rx_cfg,