| Message ID | 20211019144520.3613926-4-geert@linux-m68k.org (mailing list archive) |
|---|---|
| State | Not Applicable |
| Headers | show |
| Series | auxdisplay: ht16k33: Add character display support | expand |
On Tue, Oct 19, 2021 at 4:45 PM Geert Uytterhoeven <geert@linux-m68k.org> wrote: > > + devm_kfree(&ctx->pdev->dev, ctx->message); Unrelated to this patch (and no need to change it), but we could remove the conditional guarding the devm_kfree below to match this one. Cheers, Miguel
On Tue, Oct 19, 2021 at 10:50 PM Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote: > > Unrelated to this patch (and no need to change it), but we could > remove the conditional guarding the devm_kfree below to match this > one. Yeah, you did it when moving the code later on -- I guess we could have done it before too, to match, like the sysfs_emit change does it before, but it is not that important. Cheers, Miguel
Hi Miguel, On Tue, Oct 19, 2021 at 11:09 PM Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> wrote: > On Tue, Oct 19, 2021 at 10:50 PM Miguel Ojeda > <miguel.ojeda.sandonis@gmail.com> wrote: > > > > Unrelated to this patch (and no need to change it), but we could > > remove the conditional guarding the devm_kfree below to match this > > one. > > Yeah, you did it when moving the code later on -- I guess we could > have done it before too, to match, like the sysfs_emit change does it > before, but it is not that important. As this patch fixes a DoS that can be triggered from userspace, I wanted it to be a fix as small and concise as possible. Gr{oetje,eeting}s, Geert -- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds
diff --git a/drivers/auxdisplay/img-ascii-lcd.c b/drivers/auxdisplay/img-ascii-lcd.c index 1cce409ce5cacbc8..e33ce0151cdfd150 100644 --- a/drivers/auxdisplay/img-ascii-lcd.c +++ b/drivers/auxdisplay/img-ascii-lcd.c @@ -280,6 +280,16 @@ static int img_ascii_lcd_display(struct img_ascii_lcd_ctx *ctx, if (msg[count - 1] == '\n') count--; + if (!count) { + /* clear the LCD */ + devm_kfree(&ctx->pdev->dev, ctx->message); + ctx->message = NULL; + ctx->message_len = 0; + memset(ctx->curr, ' ', ctx->cfg->num_chars); + ctx->cfg->update(ctx); + return 0; + } + new_msg = devm_kmalloc(&ctx->pdev->dev, count + 1, GFP_KERNEL); if (!new_msg) return -ENOMEM;
While writing an empty string to a device attribute is a no-op, and thus does not need explicit safeguards, the user can still write a single newline to an attribute file: echo > .../message If that happens, img_ascii_lcd_display() trims the newline, yielding an empty string, and causing an infinite loop in img_ascii_lcd_scroll(). Fix this by adding a check for empty strings. Clear the display in case one is encountered. Fixes: 0cad855fbd083ee5 ("auxdisplay: img-ascii-lcd: driver for simple ASCII LCD displays") Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> --- Untested with img-ascii-lcd, but triggered with my initial version of linedisp. v8: - No changes, v7: - No changes, v6: - No changes, v5: - No changes, v4: - No changes, v3: - No changes, v2: - No changes. --- drivers/auxdisplay/img-ascii-lcd.c | 10 ++++++++++ 1 file changed, 10 insertions(+)