From patchwork Wed Sep 27 01:13:34 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Miaoqing Pan <miaoqing@codeaurora.org>
X-Patchwork-Id: 9972889
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	7D4496037E for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 27 Sep 2017 01:13:51 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7401C29037
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 27 Sep 2017 01:13:51 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 68BEF29039; Wed, 27 Sep 2017 01:13:51 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 041D729037
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Wed, 27 Sep 2017 01:13:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S966668AbdI0BNs (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Tue, 26 Sep 2017 21:13:48 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:53282 "EHLO
	smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S965519AbdI0BNs (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Tue, 26 Sep 2017 21:13:48 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
	id 8B5AA6071B; Wed, 27 Sep 2017 01:13:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1506474827;
	bh=vZ7osFTEb7BZrmzv0i6zRtu/obqyp6Y0I6Mtnx3PTao=;
	h=From:To:Cc:Subject:Date:From;
	b=IgRuq5hp3MyhW2jRZSKg+x2UGRAyU6BQTEti+cnf3PiASxXk5DiQhc1e6qIB8fSBG
	vxtjji6TktQ2bqQMbs+uMhOgWaZYhe9PSSMIayNrdKwynftWrrnVmwZ3nqePIEN3CQ
	hbxuQ+wKq6UNc1xmWY73k4Rp0tS58hF56PF3VDuQ=
Received: from smtp.codeaurora.org (unknown [180.166.53.21])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: miaoqing@smtp.codeaurora.org)
	by smtp.codeaurora.org (Postfix) with ESMTPSA id CA8DE60719;
	Wed, 27 Sep 2017 01:13:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
	s=default; t=1506474827;
	bh=vZ7osFTEb7BZrmzv0i6zRtu/obqyp6Y0I6Mtnx3PTao=;
	h=From:To:Cc:Subject:Date:From;
	b=IgRuq5hp3MyhW2jRZSKg+x2UGRAyU6BQTEti+cnf3PiASxXk5DiQhc1e6qIB8fSBG
	vxtjji6TktQ2bqQMbs+uMhOgWaZYhe9PSSMIayNrdKwynftWrrnVmwZ3nqePIEN3CQ
	hbxuQ+wKq6UNc1xmWY73k4Rp0tS58hF56PF3VDuQ=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org CA8DE60719
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	dmarc=none (p=none dis=none)
	header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
	spf=none smtp.mailfrom=miaoqing@codeaurora.org
Received: by smtp.codeaurora.org (sSMTP sendmail emulation);
	Wed, 27 Sep 2017 09:13:36 +0800
From: miaoqing@codeaurora.org
To: kvalo@qca.qualcomm.com
Cc: linux-wireless@vger.kernel.org, ath9k-devel@qca.qualcomm.com,
	sssa@qti.qualcomm.com, Miaoqing Pan <miaoqing@codeaurora.org>
Subject: [PATCH] ath9k: fix tx99 potential info leak
Date: Wed, 27 Sep 2017 09:13:34 +0800
Message-Id: <1506474814-18118-1-git-send-email-miaoqing@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Miaoqing Pan <miaoqing@codeaurora.org>

When the user sets count to zero the string buffer would remain
completely uninitialized which causes the kernel to parse its
own stack data, potentially leading to an info leak. In addition
to that, the string might be not terminated properly when the
user data does not contain a 0-terminator.

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Reviewed-by: Christoph Böhmwalder <christoph@boehmwalder.at>
---
 drivers/net/wireless/ath/ath9k/tx99.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/wireless/ath/ath9k/tx99.c b/drivers/net/wireless/ath/ath9k/tx99.c
index 49ed1af..fe3a826 100644
--- a/drivers/net/wireless/ath/ath9k/tx99.c
+++ b/drivers/net/wireless/ath/ath9k/tx99.c
@@ -179,6 +179,9 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
 	ssize_t len;
 	int r;
 
+	if (count < 1)
+		return -EINVAL;
+
 	if (sc->cur_chan->nvifs > 1)
 		return -EOPNOTSUPP;
 
@@ -186,6 +189,8 @@ static ssize_t write_file_tx99(struct file *file, const char __user *user_buf,
 	if (copy_from_user(buf, user_buf, len))
 		return -EFAULT;
 
+	buf[len] = '\0';
+
 	if (strtobool(buf, &start))
 		return -EINVAL;