[01/11] nvram: Fix write beyond end condition; prove to gcc copy is safe

From: Greg KH
Date: Wed Aug 11 2010 - 19:49:56 EST

Next message: Greg KH: "[03/11] PCI: disable MSI on VIA K8M800"
Previous message: Pistis Valentino: "Problems Compile Misc Module Example"
In reply to: Greg KH: "[00/11] 2.6.27.51-stable review"
Next in thread: Greg KH: "[03/11] PCI: disable MSI on VIA K8M800"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.27-stable review patch. If anyone has any objections, please let us know.

------------------

From: H. Peter Anvin <hpa@xxxxxxxxx>

commit a01c7800420d2c294ca403988488a635d4087a6d upstream.

In nvram_write, first of all, correctly handle the case where the file
pointer is already beyond the end; we should return EOF in that case.

Second, make the logic a bit more explicit so that gcc can statically
prove that the copy_from_user() is safe. Once the condition of the
beyond-end filepointer is eliminated, the copy is safe but gcc can't
prove it, causing build failures for i386 allyesconfig.

Third, eliminate the entirely superfluous variable "len", and just use
the passed-in variable "count" instead.

Signed-off-by: H. Peter Anvin <hpa@xxxxxxxxx>
Cc: Arjan van de Ven <arjan@xxxxxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Cc: Wim Van Sebroeck <wim@xxxxxxxxx>
Cc: Frederic Weisbecker <fweisbec@xxxxxxxxx>
LKML-Reference: <tip-*@git.kernel.org>
Cc: Stephen Hemminger <shemminger@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
drivers/char/nvram.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

--- a/drivers/char/nvram.c
+++ b/drivers/char/nvram.c
@@ -265,10 +265,16 @@ nvram_write(struct file *file, const cha
unsigned char contents[NVRAM_BYTES];
unsigned i = *ppos;
unsigned char *tmp;
- int len;

- len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
- if (copy_from_user(contents, buf, len))
+ if (i >= NVRAM_BYTES)
+ return 0; /* Past EOF */
+
+ if (count > NVRAM_BYTES - i)
+ count = NVRAM_BYTES - i;
+ if (count > NVRAM_BYTES)
+ return -EFAULT; /* Can't happen, but prove it to gcc */
+
+ if (copy_from_user(contents, buf, count))
return -EFAULT;

spin_lock_irq(&rtc_lock);
@@ -276,7 +282,7 @@ nvram_write(struct file *file, const cha
if (!__nvram_check_checksum())
goto checksum_err;

- for (tmp = contents; count-- > 0 && i < NVRAM_BYTES; ++i, ++tmp)
+ for (tmp = contents; count--; ++i, ++tmp)
__nvram_write_byte(*tmp, i);

__nvram_set_checksum();

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[03/11] PCI: disable MSI on VIA K8M800"
Previous message: Pistis Valentino: "Problems Compile Misc Module Example"
In reply to: Greg KH: "[00/11] 2.6.27.51-stable review"
Next in thread: Greg KH: "[03/11] PCI: disable MSI on VIA K8M800"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]