linudebugfs: fix simple_attr_write_common() kernel buffer
With2cf15144dawe added a kernel buffer for parsing input copying the user buffer into that. The problem is that we only copy exactly as many bytes as the user supplied. printf 1 would have a write_size of 1, while echo 1 would have a write_size of 2 (1\n). But in order to check and parse we need a terminating '\0'. Overallocate the kernel buffer by 1 and make sure it is always '\0' terminated. Remove the check that the string needs to be of different length than the write_size as this will always fail unless the user passes in, e.g., "1\02\n\0" somehow in which case we won't bother as kstrto*ll() will not only handle the '\n' but also stop at '\0' and should be fine or it will fail and we will error. In theory we could use a static buffer here as well as we know a maximum possible length of digits plus \n and \0 and take a min of that buffer length and write_size and then error on a small buffer but given this is an optional debug interface, do not bother with any alloc (size). Fixes:2cf15144da("lindebugfs: Pass user buffer pointers ..") Sponsored by: The FreeBSD Foundation Reviewed by: dumbbell MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D57522
This commit is contained in:
@@ -163,15 +163,12 @@ simple_attr_write_common(struct file *filp, const char __user *ubuf,
|
||||
if (*ppos != 0 || write_size < 1)
|
||||
return (-EINVAL);
|
||||
|
||||
buf = malloc(write_size, M_LSATTR, M_WAITOK);
|
||||
buf = malloc(write_size + 1, M_LSATTR, M_WAITOK);
|
||||
if (copy_from_user(buf, ubuf, write_size) != 0) {
|
||||
free(buf, M_LSATTR);
|
||||
return (-EFAULT);
|
||||
}
|
||||
if (strnlen(buf, write_size) == write_size) {
|
||||
free(buf, M_LSATTR);
|
||||
return (-EINVAL);
|
||||
}
|
||||
buf[write_size] = '\0';
|
||||
|
||||
mutex_lock(&sattr->mutex);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user