From patchwork Tue Jul 7 14:43:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kars Mulder X-Patchwork-Id: 11648807 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id D8337618 for ; Tue, 7 Jul 2020 14:43:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CA7A220773 for ; Tue, 7 Jul 2020 14:43:56 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728218AbgGGOnx convert rfc822-to-8bit (ORCPT ); Tue, 7 Jul 2020 10:43:53 -0400 Received: from relay11.mail.gandi.net ([217.70.178.231]:46981 "EHLO relay11.mail.gandi.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726946AbgGGOnx (ORCPT ); Tue, 7 Jul 2020 10:43:53 -0400 Received: from sogo7.sd4.0x35.net (sogo7.sd4.0x35.net [10.200.201.57]) (Authenticated sender: kerneldev@karsmulder.nl) by relay11.mail.gandi.net (Postfix) with ESMTPA id 820E8100017; Tue, 7 Jul 2020 14:43:50 +0000 (UTC) From: "Kars Mulder" X-Forward: 127.0.0.1 Date: Tue, 07 Jul 2020 16:43:50 +0200 Cc: "Pavel Machek" , "David Laight" , "Greg Kroah-Hartman" , "Kai-Heng Feng" , "Andy Shevchenko" , "Oliver Neukum" To: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org MIME-Version: 1.0 Message-ID: <5ee2-5f048a00-21-618c5c00@230659773> Subject: =?utf-8?b?W1BBVENIIHYzXSB1c2I6IGNvcmU6?= fix =?utf-8?b?cXVpcmtzX3Bh?= =?utf-8?b?cmFtX3NldCgp?= writing to a const pointer User-Agent: SOGoMail 4.3.2 Sender: linux-usb-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org The function quirks_param_set() takes as argument a const char* pointer to the new value of the usbcore.quirks parameter. It then casts this pointer to a non-const char* pointer and passes it to the strsep() function, which overwrites the value. Fix this by creating a copy of the value using kstrdup() and letting that copy be written to by strsep(). Fixes: 027bd6cafd9a ("usb: core: Add "quirks" parameter for usbcore") Signed-off-by: Kars Mulder --- Changes v1 -> v2: * Uses a different approach; now copies the value to the heap using kstrdup() rather than copying it to a buffer on the stack. Changes v2 -> v3: * Added a changelog between patch versions. drivers/usb/core/quirks.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c index e0b77674869c..c96c50faccf7 100644 --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -25,17 +25,23 @@ static unsigned int quirk_count; static char quirks_param[128]; -static int quirks_param_set(const char *val, const struct kernel_param *kp) +static int quirks_param_set(const char *value, const struct kernel_param *kp) { - char *p, *field; + char *val, *p, *field; u16 vid, pid; u32 flags; size_t i; int err; + val = kstrdup(value, GFP_KERNEL); + if (!val) + return -ENOMEM; + err = param_set_copystring(val, kp); - if (err) + if (err) { + kfree(val); return err; + } mutex_lock(&quirk_mutex); @@ -60,10 +66,11 @@ static int quirks_param_set(const char *val, const struct kernel_param *kp) if (!quirk_list) { quirk_count = 0; mutex_unlock(&quirk_mutex); + kfree(val); return -ENOMEM; } - for (i = 0, p = (char *)val; p && *p;) { + for (i = 0, p = val; p && *p;) { /* Each entry consists of VID:PID:flags */ field = strsep(&p, ":"); if (!field) @@ -144,6 +151,7 @@ static int quirks_param_set(const char *val, const struct kernel_param *kp) unlock: mutex_unlock(&quirk_mutex); + kfree(val); return 0; }