From patchwork Wed Jul 6 06:55:38 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 12907396 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 72D3AC433EF for ; Wed, 6 Jul 2022 06:56:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230309AbiGFG4d (ORCPT ); Wed, 6 Jul 2022 02:56:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49692 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229530AbiGFG4c (ORCPT ); Wed, 6 Jul 2022 02:56:32 -0400 Received: from mx0a-00069f02.pphosted.com (mx0a-00069f02.pphosted.com [205.220.165.32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0AD5B1BE8A; Tue, 5 Jul 2022 23:56:32 -0700 (PDT) Received: from pps.filterd (m0246617.ppops.net [127.0.0.1]) by mx0b-00069f02.pphosted.com (8.17.1.5/8.17.1.5) with ESMTP id 266641mY017821; Wed, 6 Jul 2022 06:55:53 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : content-type : mime-version; s=corp-2021-07-09; bh=4JaVe1IloRwpGT4ikJwSfLNPbCSJw1NZ3MZO9TgHlTs=; b=oXImPXy1rHHv8AZdbxSiIH1mIYKF8KchkkCzuVfnXBRuYL4ZuoKQUSqNJNfnAD1s3fGS ualnMgTpuahDZIIcXBJRFZJQ+yWEMDpHUb2j29YTRw6forGvurOZe5DKLW5QBY6UYNzk dH4Z8nTLKzyKmrIzY3msO+FWYLigwD4EBCO8SpSgKoq34vDtZc5oM+xR7R1V3AM0Ov/F 5tChEbYdj0+jXVyueOFoDDfwXC7tA1idJs/iSbJ25DLenRunV9b1PIvtIn1Ej7UoG5FZ Fwx+qvfuVTKcQIXcJKjpmMhcH1ldOu7mnePdbzkDKgv++ZQDdogjcecCggye0HcFxKab 3w== Received: from iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (iadpaimrmta02.appoci.oracle.com [147.154.18.20]) by mx0b-00069f02.pphosted.com (PPS) with ESMTPS id 3h4ubyh2dw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Jul 2022 06:55:52 +0000 Received: from pps.filterd (iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com [127.0.0.1]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com (8.16.1.2/8.16.1.2) with SMTP id 2666fBKI028419; Wed, 6 Jul 2022 06:55:51 GMT Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2177.outbound.protection.outlook.com [104.47.57.177]) by iadpaimrmta02.imrmtpd1.prodappiadaev1.oraclevcn.com with ESMTP id 3h4ud0jjgh-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 06 Jul 2022 06:55:51 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kxfai07+pt0CUO1luyNrpjc7kPOue4uIBwxumceOEONAVyB30ONqPKAOmJSLF2FMPsdykwwInXiHX5GM9s2Yht3CcjRn+w0TAPbTrjdxpbZ3pcCW0xm9cAKNSRdcgfTGxZykYIi5X8vMbVnJjVp+XGMSE2PTC4OwDiq761D+UYpy2UNyI+A3npIDr44c/qChTWE4icIMGm1iqa07Mhh6mqGdOL5zEi6+cItLdp4A4K2KszW4Jsq4VjaokKqbPBqqIUKcuheCty8vt0ht8Pi12yua+Q5RZN4AUN/Ojg99h9XaRxe6SLHo3b3SnJcDnKl0vwEyDCC3ys7EM1fQHkDR0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=4JaVe1IloRwpGT4ikJwSfLNPbCSJw1NZ3MZO9TgHlTs=; b=B01vAYIjK2mYP3/fwi6cC2YGOtiaL5rmug4rsjdjvaR2wq2Y6FVJ7jRjtWBdw+EpY8oKtkRxzGsqhscIVNr/6Ol9t9jnPUH0csI5WL94NqKqfAWiRZf8cQah2WNdE9pS/o3YVPeeg2MXI0QuY4vPz+IMaz+kgSgXno5TSQEQx/zJgrgPM9YHcVdReJYfUu9ho5K+lZ8oli8otdLNoItpPSNUrZBog71kUmYhClxkdy49Chs5NmphHTRL9K5Dee5Nz1h2XrbV3hNLXFSQ2rM9knQNfLN7yEG0R6BGIL4hTozj0FpOMKGyl554q8Jkg0fD1tFCA1d2sytM/XSukXJDww== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=oracle.com; dmarc=pass action=none header.from=oracle.com; dkim=pass header.d=oracle.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.onmicrosoft.com; s=selector2-oracle-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4JaVe1IloRwpGT4ikJwSfLNPbCSJw1NZ3MZO9TgHlTs=; b=ZbHswLCDrohCi2AOkZG6nh9xoW53Y0F/KdVdtpaZjBU+cgmtqG9SB/XeQpn+aSozhkxlAOHP2TChwPB2XGeO6px4cjjs8DEMJ3SEWopMr6R8DCn5sHjozxD6PsK76M29jtfbX72WKq4KJSEc4bi53q3bexjsBseitO9722rl+t4= Received: from MWHPR1001MB2365.namprd10.prod.outlook.com (2603:10b6:301:2d::28) by CO1PR10MB4642.namprd10.prod.outlook.com (2603:10b6:303:6f::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5395.15; Wed, 6 Jul 2022 06:55:49 +0000 Received: from MWHPR1001MB2365.namprd10.prod.outlook.com ([fe80::5020:9b82:5917:40b]) by MWHPR1001MB2365.namprd10.prod.outlook.com ([fe80::5020:9b82:5917:40b%6]) with mapi id 15.20.5395.021; Wed, 6 Jul 2022 06:55:49 +0000 Date: Wed, 6 Jul 2022 09:55:38 +0300 From: Dan Carpenter To: Kalle Valo , Jiri Slaby Cc: Paolo Abeni , Johannes Berg , Vladimir Kondratiev , "John W. Linville" , linux-wireless@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [PATCH 1/2] wil6210: debugfs: fix info leak in wil_write_file_wmi() Message-ID: Content-Disposition: inline X-Mailer: git-send-email haha only kidding X-ClientProxiedBy: ZR0P278CA0174.CHEP278.PROD.OUTLOOK.COM (2603:10a6:910:45::20) To MWHPR1001MB2365.namprd10.prod.outlook.com (2603:10b6:301:2d::28) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7c99d74e-89fc-4500-7253-08da5f1c8ee7 X-MS-TrafficTypeDiagnostic: CO1PR10MB4642:EE_ X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: fz3+DYDphidgct4FFabBIYyKnQt11sNPOs0xnTB+k9lmOk+EhIo4sLkTXtYPpb2lcUrkYXNgriLIkGXNko1cvIYkYn5nBV/UYSNX1L52IINRIsQDktlE623O+PyLQgLKWHW0DmDVYfq1unkQledqEN2UHf/TjsDLTnwGIyLjWDUp+aGg+RdFTDegnJRc89SQtmO6ilYc/sMhR++0EMzenW2KIJJ64VhY1rdgPX4VG4+ycHgkq8a76ZqYggsVWVlzYZtK0gW0jizhtY/3R/lEVHpnkzaVWShTX2Yz8P0iqgCVsclXSVuJnOc5wrNeboHiR3EadNvLmhORi6FuMScCyyWk6gsjIJ2zChDYgeRGMQXbIFlNKk/K34uZziKxG4GA8EHyEwtKgkpckhe4CDmhwHRPWJvgB7nlstImCk3VrQs5SVndRL2VcGWIbBJ5vCUXCfA/df0vcUBL2mxqcatfyWpxF41yiml9jbVl0P59MDEp6cYfvvOJ7YLep1+0XokK8AwZ9nkT2vC8ahYuejI7K/uM+GnhPtKJ+Xc1UJdT0rNdj4WBtU3+J6hytoLJGpfXeUTao+R7lZAa5FebYGl/2RyM4b4WEROeUpf7QG9/h2XYrsIT4aMbPd70xOfPyXjlasHzgvo1oxQFuAjqBOq6PmfWBBWNDejLfS6aXmM17wsJNeX0vtaN0L1zKSGzhhCvaHBSxMzp6cDoSg06tcaIsnWFzYcrRF8ksgh4dFvSH4XTicO4DlVZzyYB0MywLD7KI5WZhndmFougx8xUY3DniV0HO6oh1EFh84YosEyER75WWtrdhd7YskEAsCNMpwYN X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:MWHPR1001MB2365.namprd10.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230016)(7916004)(136003)(346002)(376002)(396003)(366004)(39860400002)(478600001)(38100700002)(38350700002)(6486002)(186003)(6506007)(41300700001)(6666004)(52116002)(110136005)(2906002)(66556008)(316002)(54906003)(8936002)(5660300002)(44832011)(86362001)(6512007)(26005)(9686003)(83380400001)(66946007)(66476007)(33716001)(4326008)(8676002);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: o6j7nc5AJdB0MLJ0YPCDOTAKVmpmKDoMkUWlBYlQo3U5N2nkrxvURmz2X4zxwrNenjHn3vIH4TMD0yi/MJQMsW/iFuwcoLqKo2CXUmf79X7Y5yoh+NZlON+S+UEdYUvC4aMrtKP6GJL15akvXTx8qNdxMoJd+MTnLZMI8TeSibLlOO/egKAOhEOgI1n3Mb/L7GXc59slm3tktH+ifjCtRlfit89tcxE4YUShVura5luxVNDOKvw/n2I3H15ZoeTbidFHjQBOYQVJnCiDBmb8vtshdB8o4i6qP9ANc/15Kjw3tA99aljhWkGDY6hC9uyoC4LT1EfqRhDCbcSHIMhMQ1Cy/dVRmKGrJkNJJqSC45UaIlP98mmdqdzBbHH1cjAn2H7P6PTXiimi2NBMj4uawmN9hzNtsXEwPgs4XmGyMaJKAV7CEjaQxJrBPA9JZoUufyhFMlJqA6DUKoN0/B4jyjrekMiARU4YOnMzfnJbmf7p7RwfxoQzO2s0tVqyLBVDRHyX1rM7TU6+xtaa7zWGy94yF1LAxsVktTgW13q2OwsH1SBKUUqsuscfbMZ7Jb7AcvvCSiVRboJpr814znvqk7IXTQSOzxjmE8T7Sv8STTM0ECPVJPSuEm40HLwHpKCrHg0jRgyAiDqsE40CEtwkKr7YZFvRQQX94xDsjbGmRRcrKiw4xf1zNlkRC12lIxKhxdS52QIXGVenHeqfrKTtpeI3fbflEZ/QOW7oRMYpAk2JAPtzqFUzFTTEp9gOOAfqdIEmw12WY+KYiuxV68Tv3zPTSSJ5JhSLsovZtzgp3Kt+BAstjD3Hu8DIIbQogHTIExxrmFGGqW9eYBhwYrQRA7NoXWRcZPP1zM5FTjuO5PfEAQr6w+HGF1qcOBfOODCqqp3/8pyblrCX+0lsGmQxW8oA8Nsm0hGRAUiXF7Y5kh/mYdQHTrP4NK45qFzoJeqfb1F1M2q8JVizvVdK4ZttHW9nEW0UGjU5uBvcQvBy/qy0ZNwd5Dc2Cgtb1Hq1PgJQjHJQNT1Tj8xbya7N0xy94Qfsru6fEurO28pxiuZUfuZmEg85V2oeXRuR859gTcfOdSlQU9nsNtihQlp0zFAW0Sm7m9uzCkch3DrWpCY2NC6Q3vvyFG180fbmK0cNVyrdLdywznxqOZ12YNG19DxnYbMIAC4bqMWh2sircP+PIaVNXYcP1QgRKahyKYDRC1NG/2iHEl5wBP1uJGb76laSAVYaRlEFFpOZaYQsjB414J/sSddVDgqWZ0a9wG8UBYFdZ786Um7EluFfpKIMyTI0fr5yXxaJk07XfJbahuHYItWHmAcGJGlfxHUZ/AEwzKN9XgkTZ5bND+J+25/Dan8KjzqGGs+ExZMwBmFsEZ8XzWqL8k/wDKyc1mhPFryPtEX8rRS+0bgXe3RoZrgUDFbdBl+knah3/ggwfoEizk6xlcv/s3/DA2xG7/Us04b2F5SdX7ctLArv/P/pml65FqlvHcQUFQMJ+gG7T3Jp2cJyp/utbY40MPXt+hDAEImlUHW0wplHBmbMxFnsw/IU9Zt/omtAydcAXbUz4n1HPL8Ksmm/H9oTAC/2rUUPhFEGd5TUobaL+sN7oq/L4QWe9Vcpuw== X-OriginatorOrg: oracle.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7c99d74e-89fc-4500-7253-08da5f1c8ee7 X-MS-Exchange-CrossTenant-AuthSource: MWHPR1001MB2365.namprd10.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Jul 2022 06:55:49.0570 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: iH9+1EH+C9cedEEySR4tpvjIosPC9iehd2R2G7xTSh3CFf8BOoV9BE7aPcW/u78iYsDFw8lP/vkT2Rq6vnX+SdabAheRwnEtzTiGpyTT+c4= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR10MB4642 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.517,18.0.883 definitions=2022-07-06_03:2022-06-28,2022-07-06 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 adultscore=0 spamscore=0 phishscore=0 malwarescore=0 mlxscore=0 mlxlogscore=999 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2206140000 definitions=main-2207060025 X-Proofpoint-GUID: syK9cHyjw6R_9moI7nzZTzfdz0ufT8wP X-Proofpoint-ORIG-GUID: syK9cHyjw6R_9moI7nzZTzfdz0ufT8wP Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org The simple_write_to_buffer() function will succeed if even a single byte is initialized. However we need to initialize the whole buffer to prevent information leaks. Just use memdup_user(). Fixes: ff974e408334 ("wil6210: debugfs interface to send raw WMI command") Signed-off-by: Dan Carpenter --- drivers/net/wireless/ath/wil6210/debugfs.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c index 64d6c98174c8..fe84362718de 100644 --- a/drivers/net/wireless/ath/wil6210/debugfs.c +++ b/drivers/net/wireless/ath/wil6210/debugfs.c @@ -1012,18 +1012,12 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf, u16 cmdid; int rc, rc1; - if (cmdlen < 0) + if (cmdlen < 0 || *ppos != 0) return -EINVAL; - wmi = kmalloc(len, GFP_KERNEL); - if (!wmi) - return -ENOMEM; - - rc = simple_write_to_buffer(wmi, len, ppos, buf, len); - if (rc < 0) { - kfree(wmi); - return rc; - } + wmi = memdup_user(buf, len); + if (IS_ERR(wmi)) + return PTR_ERR(wmi); cmd = (cmdlen > 0) ? &wmi[1] : NULL; cmdid = le16_to_cpu(wmi->command_id);