[PATCH -next] firmware: imx: secure-enclave: bound read copy by user buffer size

[Pankaj Gupta]

se_if_fops_read() copied the full received message to userspace without
checking the size of the user-provided buffer. If the receive message
was larger than the buffer passed to read(), this could overflow user
memory.

Fix this by limiting the copy length to the minimum of the userspace
buffer size and the received message size. Also drop logging on
copy_to_user() failure, as returning -EFAULT is sufficient.

Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Closes: https://smatch.sourceforge.net/
Fixes: 4de71839142b ("firmware: drivers: imx: adds miscdev")
Signed-off-by: Pankaj Gupta <pankaj.gupta@xxxxxxx>
---
 drivers/firmware/imx/se_ctrl.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/drivers/firmware/imx/se_ctrl.c b/drivers/firmware/imx/se_ctrl.c
index d5cc37273d8e..3a1e0c6a942b 100644
--- a/drivers/firmware/imx/se_ctrl.c
+++ b/drivers/firmware/imx/se_ctrl.c
@@ -799,6 +799,7 @@ static ssize_t se_if_fops_read(struct file *fp, char __user *buf, size_t size,
 {
 	struct se_if_device_ctx *dev_ctx = fp->private_data;
 	struct se_if_priv *priv = dev_ctx->priv;
+	size_t copy_len;
 	int err;
 
 	dev_dbg(priv->dev, "%s: read to buf %p(%zu), ppos=%lld.", dev_ctx->devname,
@@ -831,14 +832,13 @@ static ssize_t se_if_fops_read(struct file *fp, char __user *buf, size_t size,
 				     priv->cmd_receiver_clbk_hdl.rx_msg_sz,
 				     false);
 
-		if (copy_to_user(buf, priv->cmd_receiver_clbk_hdl.rx_msg,
-				 priv->cmd_receiver_clbk_hdl.rx_msg_sz)) {
-			dev_err(priv->dev, "%s: Failed to copy to user.",
-				dev_ctx->devname);
+		copy_len = min_t(size_t, size, priv->cmd_receiver_clbk_hdl.rx_msg_sz);
+
+		if (copy_to_user(buf, priv->cmd_receiver_clbk_hdl.rx_msg, copy_len))
 			err = -EFAULT;
-		} else {
-			err = priv->cmd_receiver_clbk_hdl.rx_msg_sz;
-		}
+		else
+			err = copy_len;
+
 exit:
 		priv->cmd_receiver_clbk_hdl.rx_msg_sz = 0;
 
-- 
2.43.0