firmware: xilinx: fix debugfs write handler
- Userspace wants to write a string with `len` bytes, not counting the terminating NULL, so we should allocate `len+1` bytes. It looks like the current code relied on having a nullbyte directly behind `kern_buff`, which happens to work reliably as long as `len` isn't one of the kmalloc size classes. - strncpy_from_user() is completely wrong here; userspace is giving us a (not necessarily null-terminated) buffer and its length. strncpy_from_user() is for cases in which we don't know the length. - Don't let broken userspace allocate arbitrarily big kmalloc allocations. Just use memdup_user_nul(), which is designed precisely for things like this. Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Jolly Shah <jolly.shah@xilinx.com> Signed-off-by: Michal Simek <michal.simek@xilinx.com>
This commit is contained in:
Jann Horn
Michal Simek
parent
9e98c678c2
commit
b9472f7d82
|
|
@ -163,21 +163,14 @@ static ssize_t zynqmp_pm_debugfs_api_write(struct file *file,
|
|||
|
||||
strcpy(debugfs_buf, "");
|
||||
|
||||
if (*off != 0 || len == 0)
|
||||
if (*off != 0 || len <= 1 || len > PAGE_SIZE - 1)
|
||||
return -EINVAL;
|
||||
|
||||
kern_buff = kzalloc(len, GFP_KERNEL);
|
||||
if (!kern_buff)
|
||||
return -ENOMEM;
|
||||
|
||||
kern_buff = memdup_user_nul(ptr, len);
|
||||
if (IS_ERR(kern_buff))
|
||||
return PTR_ERR(kern_buff);
|
||||
tmp_buff = kern_buff;
|
||||
|
||||
ret = strncpy_from_user(kern_buff, ptr, len);
|
||||
if (ret < 0) {
|
||||
ret = -EFAULT;
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Read the API name from a user request */
|
||||
pm_api_req = strsep(&kern_buff, " ");
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue