Strona główna Odkrywaj Pomoc
Zaloguj się
GfA
/
linux_kernel
5
0
Forkuj 0
Pliki Problemy 0 Oczekujące zmiany 0 Wiki
Przeglądaj źródła

ath10k: fix information leak in debugfs

During write to some of debugfs in ath10k, few variables exposing stack
data when process user input. which leads to possible information leak.

This patch fix this issue by initializing buffer and checks
the return valure of 'simple_write_to_buffer'.

Signed-off-by: Venkateswara Naralasetty <vnaralas@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Venkateswara Naralasetty 7 lat temu
rodzic
51c12756de
commit
2f177c1628
2 zmienionych plików z 25 dodań i 25 usunięć
Zunifikowany widok Pokaż statystyki zmian
  1. 10 10
      drivers/net/wireless/ath/ath10k/debug.c
  2. 15 15
      drivers/net/wireless/ath/ath10k/debugfs_sta.c

+ 10 - 10
drivers/net/wireless/ath/ath10k/debug.c
Wyświetl plik 

@@ -987,13 +987,13 @@ static ssize_t ath10k_write_htt_max_amsdu_ampdu(struct file *file,
 
 {
 
 {
 
 	struct ath10k *ar = file->private_data;
 
 	struct ath10k *ar = file->private_data;
 
 	int res;
 
 	int res;
 
-	char buf[64];
 
+	char buf[64] = {0};
 
 	unsigned int amsdu, ampdu;
 
 	unsigned int amsdu, ampdu;
 
 
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
 
-
 
-	/* make sure that buf is null terminated */
 
-	buf[sizeof(buf) - 1] = 0;
 
+	res = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
 
+				     user_buf, count);
 
+	if (res <= 0)
 
+		return res;
 
 
 
 	res = sscanf(buf, "%u %u", &amsdu, &ampdu);
 
 	res = sscanf(buf, "%u %u", &amsdu, &ampdu);
 
 
 
@@ -1043,14 +1043,14 @@ static ssize_t ath10k_write_fw_dbglog(struct file *file,
 
 {
 
 {
 
 	struct ath10k *ar = file->private_data;
 
 	struct ath10k *ar = file->private_data;
 
 	int ret;
 
 	int ret;
 
-	char buf[96];
 
+	char buf[96] = {0};
 
 	unsigned int log_level;
 
 	unsigned int log_level;
 
 	u64 mask;
 
 	u64 mask;
 
 
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
 
-
 
-	/* make sure that buf is null terminated */
 
-	buf[sizeof(buf) - 1] = 0;
 
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
 
+				     user_buf, count);
 
+	if (ret <= 0)
 
+		return ret;
 
 
 
 	ret = sscanf(buf, "%llx %u", &mask, &log_level);
 
 	ret = sscanf(buf, "%llx %u", &mask, &log_level);

+ 15 - 15
drivers/net/wireless/ath/ath10k/debugfs_sta.c
Wyświetl plik 

@@ -254,12 +254,12 @@ static ssize_t ath10k_dbg_sta_write_addba(struct file *file,
 
 	struct ath10k *ar = arsta->arvif->ar;
 
 	struct ath10k *ar = arsta->arvif->ar;
 
 	u32 tid, buf_size;
 
 	u32 tid, buf_size;
 
 	int ret;
 
 	int ret;
 
-	char buf[64];
 
+	char buf[64] = {0};
 
 
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
 
-
 
-	/* make sure that buf is null terminated */
 
-	buf[sizeof(buf) - 1] = '\0';
 
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
 
+				     user_buf, count);
 
+	if (ret <= 0)
 
+		return ret;
 
 
 
 	ret = sscanf(buf, "%u %u", &tid, &buf_size);
 
 	ret = sscanf(buf, "%u %u", &tid, &buf_size);
 
 	if (ret != 2)
 
 	if (ret != 2)
 
@@ -305,12 +305,12 @@ static ssize_t ath10k_dbg_sta_write_addba_resp(struct file *file,
 
 	struct ath10k *ar = arsta->arvif->ar;
 
 	struct ath10k *ar = arsta->arvif->ar;
 
 	u32 tid, status;
 
 	u32 tid, status;
 
 	int ret;
 
 	int ret;
 
-	char buf[64];
 
-
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
 
+	char buf[64] = {0};
 
 
 
-	/* make sure that buf is null terminated */
 
-	buf[sizeof(buf) - 1] = '\0';
 
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
 
+				     user_buf, count);
 
+	if (ret <= 0)
 
+		return ret;
 
 
 
 	ret = sscanf(buf, "%u %u", &tid, &status);
 
 	ret = sscanf(buf, "%u %u", &tid, &status);
 
 	if (ret != 2)
 
 	if (ret != 2)
 
@@ -355,12 +355,12 @@ static ssize_t ath10k_dbg_sta_write_delba(struct file *file,
 
 	struct ath10k *ar = arsta->arvif->ar;
 
 	struct ath10k *ar = arsta->arvif->ar;
 
 	u32 tid, initiator, reason;
 
 	u32 tid, initiator, reason;
 
 	int ret;
 
 	int ret;
 
-	char buf[64];
 
-
 
-	simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count);
 
+	char buf[64] = {0};
 
 
 
-	/* make sure that buf is null terminated */
 
-	buf[sizeof(buf) - 1] = '\0';
 
+	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos,
 
+				     user_buf, count);
 
+	if (ret <= 0)
 
+		return ret;
 
 
 
 	ret = sscanf(buf, "%u %u %u", &tid, &initiator, &reason);
 
 	ret = sscanf(buf, "%u %u %u", &tid, &initiator, &reason);
 
 	if (ret != 3)
 
 	if (ret != 3)