Commit 749169d7 authored by Dan Carpenter's avatar Dan Carpenter Committed by Aichun Shi
Browse files

crypto: qat - uninitialized variable in adf_hb_error_inject_write() 

mainline inclusion
from mainline-v6.9-rc1
commit bcc06e1b3dadc76140203753a08979374c965ada
category: feature
bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I9A5BW
CVE: N/A
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=bcc06e1b3dadc76140203753a08979374c965ada



-------------------------------------

There are a few issues in this code.  If *ppos is non-zero then the
first part of the buffer is not initialized.  We never initialize the
last character of the buffer.  The return is not checked so it's
possible that none of the buffer is initialized.

This is debugfs code which is root only and the impact of these bugs is
very small.  However, it's still worth fixing.  To fix this:
1) Check that *ppos is zero.
2) Use copy_from_user() instead of simple_write_to_buffer().
3) Explicitly add a NUL terminator.

Intel-SIG: commit bcc06e1b3dad crypto: qat - uninitialized variable in adf_hb_error_inject_write()
Backport to support QAT in-tree driver

Fixes: e2b67859ab6e ("crypto: qat - add heartbeat error simulator")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: default avatarGiovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
[ Aichun Shi: amend commit log ]
Signed-off-by: default avatarAichun Shi <aichun.shi@intel.com>
parent 5e7ba72e

drivers/crypto/intel/qat/qat_common/adf_heartbeat_dbgfs.c

+6 −5
Original line number Diff line number Diff line
@@ -160,16 +160,17 @@ static ssize_t adf_hb_error_inject_write(struct file *file, 
					 size_t count, loff_t *ppos)

{

	struct adf_accel_dev *accel_dev = file->private_data;

	size_t written_chars;

	char buf[3];

	int ret;



	/* last byte left as string termination */

	if (count != 2)

	if (*ppos != 0 || count != 2)

		return -EINVAL;



	written_chars = simple_write_to_buffer(buf, sizeof(buf) - 1,

					       ppos, user_buf, count);

	if (copy_from_user(buf, user_buf, count))

		return -EFAULT;

	buf[count] = '\0';



	if (buf[0] != '1')

		return -EINVAL;
@@ -183,7 +184,7 @@ static ssize_t adf_hb_error_inject_write(struct file *file, 


	dev_info(&GET_DEV(accel_dev), "Heartbeat error injection enabled\n");



	return written_chars;

	return count;

}



static const struct file_operations adf_hb_error_inject_fops = {