[thirdparty/kernel/stable-queue.git] / releases / 4.14.33 / dev-mem-avoid-overwriting-err-in-read_mem.patch

From b5b38200ebe54879a7264cb6f33821f61c586a7e Mon Sep 17 00:00:00 2001
From: Kees Cook <keescook@chromium.org>
Date: Tue, 27 Mar 2018 14:06:14 -0700
Subject: /dev/mem: Avoid overwriting "err" in read_mem()

From: Kees Cook <keescook@chromium.org>

commit b5b38200ebe54879a7264cb6f33821f61c586a7e upstream.

Successes in probe_kernel_read() would mask failures in copy_to_user()
during read_mem().

Reported-by: Brad Spengler <spender@grsecurity.net>
Fixes: 22ec1a2aea73 ("/dev/mem: Add bounce buffer for copy-out")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/mem.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/char/mem.c
+++ b/drivers/char/mem.c
@@ -137,7 +137,7 @@ static ssize_t read_mem(struct file *fil
 
 	while (count > 0) {
 		unsigned long remaining;
-		int allowed;
+		int allowed, probe;
 
 		sz = size_inside_page(p, count);
 
@@ -160,9 +160,9 @@ static ssize_t read_mem(struct file *fil
 			if (!ptr)
 				goto failed;
 
-			err = probe_kernel_read(bounce, ptr, sz);
+			probe = probe_kernel_read(bounce, ptr, sz);
 			unxlate_dev_mem_ptr(p, ptr);
-			if (err)
+			if (probe)
 				goto failed;
 
 			remaining = copy_to_user(buf, bounce, sz);
Commit	Line	Data
08f2b9b8 GKH	1	From b5b38200ebe54879a7264cb6f33821f61c586a7e Mon Sep 17 00:00:00 2001
	2	From: Kees Cook <keescook@chromium.org>
	3	Date: Tue, 27 Mar 2018 14:06:14 -0700
	4	Subject: /dev/mem: Avoid overwriting "err" in read_mem()
	5
	6	From: Kees Cook <keescook@chromium.org>
	7
	8	commit b5b38200ebe54879a7264cb6f33821f61c586a7e upstream.
	9
	10	Successes in probe_kernel_read() would mask failures in copy_to_user()
	11	during read_mem().
	12
	13	Reported-by: Brad Spengler <spender@grsecurity.net>
	14	Fixes: 22ec1a2aea73 ("/dev/mem: Add bounce buffer for copy-out")
	15	Cc: stable@vger.kernel.org
	16	Signed-off-by: Kees Cook <keescook@chromium.org>
	17	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	18
	19	---
	20	drivers/char/mem.c \| 6 +++---
	21	1 file changed, 3 insertions(+), 3 deletions(-)
	22
	23	--- a/drivers/char/mem.c
	24	+++ b/drivers/char/mem.c
	25	@@ -137,7 +137,7 @@ static ssize_t read_mem(struct file *fil
	26
	27	while (count > 0) {
	28	unsigned long remaining;
	29	- int allowed;
	30	+ int allowed, probe;
	31
	32	sz = size_inside_page(p, count);
	33
	34	@@ -160,9 +160,9 @@ static ssize_t read_mem(struct file *fil
	35	if (!ptr)
	36	goto failed;
	37
	38	- err = probe_kernel_read(bounce, ptr, sz);
	39	+ probe = probe_kernel_read(bounce, ptr, sz);
	40	unxlate_dev_mem_ptr(p, ptr);
	41	- if (err)
	42	+ if (probe)
	43	goto failed;
	44
	45	remaining = copy_to_user(buf, bounce, sz);