There are a few issues in this code. If *ppos is non-zero then the
first part of the buffer is not initialized. We never initialize the
last character of the buffer. The return is not checked so it's
possible that none of the buffer is initialized.
This is debugfs code which is root only and the impact of these bugs is
very small. However, it's still worth fixing. To fix this:
1) Check that *ppos is zero.
2) Use copy_from_user() instead of simple_write_to_buffer().
3) Explicitly add a NUL terminator.
Fixes: e2b67859ab6e ("crypto: qat - add heartbeat error simulator")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
size_t count, loff_t *ppos)
{
struct adf_accel_dev *accel_dev = file->private_data;
- size_t written_chars;
char buf[3];
int ret;
/* last byte left as string termination */
- if (count != 2)
+ if (*ppos != 0 || count != 2)
return -EINVAL;
- written_chars = simple_write_to_buffer(buf, sizeof(buf) - 1,
- ppos, user_buf, count);
+ if (copy_from_user(buf, user_buf, count))
+ return -EFAULT;
+ buf[count] = '\0';
+
if (buf[0] != '1')
return -EINVAL;
dev_info(&GET_DEV(accel_dev), "Heartbeat error injection enabled\n");
- return written_chars;
+ return count;
}
static const struct file_operations adf_hb_error_inject_fops = {