]>
Commit | Line | Data |
---|---|---|
08f2b9b8 GKH |
1 | From b5b38200ebe54879a7264cb6f33821f61c586a7e Mon Sep 17 00:00:00 2001 |
2 | From: Kees Cook <keescook@chromium.org> | |
3 | Date: Tue, 27 Mar 2018 14:06:14 -0700 | |
4 | Subject: /dev/mem: Avoid overwriting "err" in read_mem() | |
5 | ||
6 | From: Kees Cook <keescook@chromium.org> | |
7 | ||
8 | commit b5b38200ebe54879a7264cb6f33821f61c586a7e upstream. | |
9 | ||
10 | Successes in probe_kernel_read() would mask failures in copy_to_user() | |
11 | during read_mem(). | |
12 | ||
13 | Reported-by: Brad Spengler <spender@grsecurity.net> | |
14 | Fixes: 22ec1a2aea73 ("/dev/mem: Add bounce buffer for copy-out") | |
15 | Cc: stable@vger.kernel.org | |
16 | Signed-off-by: Kees Cook <keescook@chromium.org> | |
17 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | |
18 | ||
19 | --- | |
20 | drivers/char/mem.c | 6 +++--- | |
21 | 1 file changed, 3 insertions(+), 3 deletions(-) | |
22 | ||
23 | --- a/drivers/char/mem.c | |
24 | +++ b/drivers/char/mem.c | |
25 | @@ -137,7 +137,7 @@ static ssize_t read_mem(struct file *fil | |
26 | ||
27 | while (count > 0) { | |
28 | unsigned long remaining; | |
29 | - int allowed; | |
30 | + int allowed, probe; | |
31 | ||
32 | sz = size_inside_page(p, count); | |
33 | ||
34 | @@ -160,9 +160,9 @@ static ssize_t read_mem(struct file *fil | |
35 | if (!ptr) | |
36 | goto failed; | |
37 | ||
38 | - err = probe_kernel_read(bounce, ptr, sz); | |
39 | + probe = probe_kernel_read(bounce, ptr, sz); | |
40 | unxlate_dev_mem_ptr(p, ptr); | |
41 | - if (err) | |
42 | + if (probe) | |
43 | goto failed; | |
44 | ||
45 | remaining = copy_to_user(buf, bounce, sz); |