mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity

wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() 

[ Upstream commit 7a4836560a ]

The simple_write_to_buffer() function will succeed if even a single
byte is initialized.  However, we need to initialize the whole buffer
to prevent information leaks.  Just use memdup_user().

Fixes: ff974e4083 ("wil6210: debugfs interface to send raw WMI command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/Ysg14NdKAZF/hcNG@kili
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Dan Carpenter 2022-07-15 13:35:18 +03:00 committed by Greg Kroah-Hartman
parent 48cca38787
commit c1216e699a
1 changed files with 4 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
drivers/net/wireless/ath/wil6210/debugfs.c
View File

@ -836,18 +836,12 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf,
u16 cmdid;
int rc, rc1;
if (cmdlen < 0)
if (cmdlen < 0 || *ppos != 0)
return -EINVAL;
wmi = kmalloc(len, GFP_KERNEL);
if (!wmi)
return -ENOMEM;
rc = simple_write_to_buffer(wmi, len, ppos, buf, len);
if (rc < 0) {
kfree(wmi);
return rc;
}
wmi = memdup_user(buf, len);
if (IS_ERR(wmi))
return PTR_ERR(wmi);
cmd = (cmdlen > 0) ? &wmi[1] : NULL;
cmdid = le16_to_cpu(wmi->command_id);