Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[POWERPC] spufs: fix possible memory corruption is spufs_mem_write
Due to a buggy unsigned comparison, it was possible to write
beyond the end of the local store file in spufs under some
circumstances.
This rewrites the buggy function to look more like
simple_copy_from_buffer.
Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com>
Cc: Ulrich Weigand <Ulrich.Weigand@de.ibm.com>
authored by Arnd Bergmann and committed by Arnd Bergmann aa0ed2bd f194bda4
+14
-10
arch/powerpc/platforms/cell/spufs/file.c
+14
-10
arch/powerpc/platforms/cell/spufs/file.c
···
63
63
spufs_mem_read(struct file *file, char __user *buffer,
64
64
size_t size, loff_t *pos)
65
65
{
66
-
int ret;
67
66
struct spu_context *ctx = file->private_data;
67
+
ssize_t ret;
68
68
69
69
spu_acquire(ctx);
70
70
ret = __spufs_mem_read(ctx, buffer, size, pos);
···
74
74
75
75
static ssize_t
76
76
spufs_mem_write(struct file *file, const char __user *buffer,
77
-
size_t size, loff_t *pos)
77
+
size_t size, loff_t *ppos)
78
78
{
79
79
struct spu_context *ctx = file->private_data;
80
80
char *local_store;
81
+
loff_t pos = *ppos;
81
82
int ret;
82
83
83
-
size = min_t(ssize_t, LS_SIZE - *pos, size);
84
-
if (size <= 0)
84
+
if (pos < 0)
85
+
return -EINVAL;
86
+
if (pos > LS_SIZE)
85
87
return -EFBIG;
86
-
*pos += size;
88
+
if (size > LS_SIZE - pos)
89
+
size = LS_SIZE - pos;
87
90
88
91
spu_acquire(ctx);
89
-
90
92
local_store = ctx->ops->get_ls(ctx);
91
-
ret = copy_from_user(local_store + *pos - size,
92
-
buffer, size) ? -EFAULT : size;
93
-
93
+
ret = copy_from_user(local_store + pos, buffer, size);
94
94
spu_release(ctx);
95
-
return ret;
95
+
96
+
if (ret)
97
+
return -EFAULT;
98
+
*ppos = pos + size;
99
+
return size;
96
100
}
97
101
98
102
static unsigned long spufs_mem_mmap_nopfn(struct vm_area_struct *vma,