Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0afa695e authored by Sayali Lokhande's avatar Sayali Lokhande
Browse files

scsi: ufs: Fix stack overflow read in ufs debugfs driver 



When getting string from userspace by simple_write_to_buffer
in ufs_qcom_dbg_testbus_cfg_write() function, the string
copied to configuration is not terminated with '\0'. Thus
stack overflow read may occur while copying configuration to
host->testbus.select_major, which will result in information
leak later while printing error message. This change adds null
character at the end of the input string to avoid information
leak.

Change-Id: Ic9a9204def4bd6976f42f5f80ae5c0a9730afeb1
Signed-off-by: default avatarSayali Lokhande <sayalil@codeaurora.org>
parent be60ad58

drivers/scsi/ufs/ufs-qcom-debugfs.c

+4 −2
Original line number Diff line number Diff line
@@ -111,20 +111,22 @@ static ssize_t ufs_qcom_dbg_testbus_cfg_write(struct file *file, 
				loff_t *ppos)

{

	struct ufs_qcom_host *host = file->f_mapping->host->i_private;

	char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {0};

	char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {'\0'};

	loff_t buff_pos = 0;

	char *comma;

	int ret = 0;

	int major;

	int minor;



	ret = simple_write_to_buffer(configuration, TESTBUS_CFG_BUFF_LINE_SIZE,

	ret = simple_write_to_buffer(configuration,

		TESTBUS_CFG_BUFF_LINE_SIZE - 1,

		&buff_pos, ubuf, cnt);

	if (ret < 0) {

		dev_err(host->hba->dev, "%s: failed to read user data\n",

			__func__);

		goto out;

	}

	configuration[ret] = '\0';



	comma = strnchr(configuration, TESTBUS_CFG_BUFF_LINE_SIZE, ',');

	if (!comma || comma == configuration) {