From b9472f7d8224460499dd7128ec944735ed5345a0 Mon Sep 17 00:00:00 2001 From: Jann Horn Date: Mon, 18 Feb 2019 22:43:09 +0100 Subject: [PATCH] firmware: xilinx: fix debugfs write handler - Userspace wants to write a string with `len` bytes, not counting the terminating NULL, so we should allocate `len+1` bytes. It looks like the current code relied on having a nullbyte directly behind `kern_buff`, which happens to work reliably as long as `len` isn't one of the kmalloc size classes. - strncpy_from_user() is completely wrong here; userspace is giving us a (not necessarily null-terminated) buffer and its length. strncpy_from_user() is for cases in which we don't know the length. - Don't let broken userspace allocate arbitrarily big kmalloc allocations. Just use memdup_user_nul(), which is designed precisely for things like this. Signed-off-by: Jann Horn Acked-by: Jolly Shah Signed-off-by: Michal Simek --- drivers/firmware/xilinx/zynqmp-debug.c | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/drivers/firmware/xilinx/zynqmp-debug.c b/drivers/firmware/xilinx/zynqmp-debug.c index 2771df6df379..90b66cdbfd58 100644 --- a/drivers/firmware/xilinx/zynqmp-debug.c +++ b/drivers/firmware/xilinx/zynqmp-debug.c @@ -163,21 +163,14 @@ static ssize_t zynqmp_pm_debugfs_api_write(struct file *file, strcpy(debugfs_buf, ""); - if (*off != 0 || len == 0) + if (*off != 0 || len <= 1 || len > PAGE_SIZE - 1) return -EINVAL; - kern_buff = kzalloc(len, GFP_KERNEL); - if (!kern_buff) - return -ENOMEM; - + kern_buff = memdup_user_nul(ptr, len); + if (IS_ERR(kern_buff)) + return PTR_ERR(kern_buff); tmp_buff = kern_buff; - ret = strncpy_from_user(kern_buff, ptr, len); - if (ret < 0) { - ret = -EFAULT; - goto err; - } - /* Read the API name from a user request */ pm_api_req = strsep(&kern_buff, " ");