Thanks for the patch. Looks good.
Reviewed-by: Dan Carpenter <[email protected]>
On Wed, Nov 20, 2019 at 10:36:48AM -0500, Marcelo Diop-Gonzalez wrote:
> copy_bytes = min_t(int, len, context->space - context->actual);
> if (copy_bytes == 0)
> - return;
> + return 0;
> if (copy_to_user(context->buf + context->actual, str,
> copy_bytes))
> - context->actual = -EFAULT;
^^^^^^^^^^^^^^^^^^^^^^^^^
> + return -EFAULT;
> context->actual += copy_bytes;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
In the original code we saved the error code to context->actual, then
we added some bytes
> len -= copy_bytes;
>
> @@ -2109,8 +2108,9 @@ vchiq_dump(void *dump_context, const char *str, int len)
>
> if (copy_to_user(context->buf + context->actual - 1,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
and then we tried to use the result to corrupt the user space program.
So this patch is a nice bug fix.
> &cr, 1))
> - context->actual = -EFAULT;
> + return -EFAULT;
> }
> + return 0;
> }
regards,
dan carpenter
_______________________________________________
devel mailing list
[email protected]
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
