mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 05:44:11 +00:00
Code Issues Releases Wiki Activity

wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()

Browse source 
The simple_write_to_buffer() function will succeed if even a single
byte is initialized.  However, we need to initialize the whole buffer
to prevent information leaks.  Just use memdup_user().

Fixes: ff974e4083 ("wil6210: debugfs interface to send raw WMI command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/Ysg14NdKAZF/hcNG@kili
This commit is contained in:
Dan Carpenter 2022-07-15 13:35:18 +03:00 committed by Kalle Valo
parent eaedf62f7a
commit 7a4836560a
1 changed files with 4 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
drivers/net/wireless/ath/wil6210/debugfs.c
View file

@ -1012,18 +1012,12 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf,
u16 cmdid;
int rc, rc1;
if (cmdlen < 0)
if (cmdlen < 0 || *ppos != 0)
return -EINVAL;
wmi = kmalloc(len, GFP_KERNEL);
if (!wmi)
return -ENOMEM;
rc = simple_write_to_buffer(wmi, len, ppos, buf, len);
if (rc < 0) {
kfree(wmi);
return rc;
}
wmi = memdup_user(buf, len);
if (IS_ERR(wmi))
return PTR_ERR(wmi);
cmd = (cmdlen > 0) ? &wmi[1] : NULL;
cmdid = le16_to_cpu(wmi->command_id);