scsi: ufs: Fix stack overflow read in ufs debugfs driver
When getting string from userspace by simple_write_to_buffer in ufs_qcom_dbg_testbus_cfg_write() function, the string copied to configuration is not terminated with '\0'. Thus stack overflow read may occur while copying configuration to host->testbus.select_major, which will result in information leak later while printing error message. This change adds null character at the end of the input string to avoid information leak. Change-Id: Ic9a9204def4bd6976f42f5f80ae5c0a9730afeb1 Signed-off-by: Sayali Lokhande <sayalil@codeaurora.org>
This commit is contained in:
parent
82e598b10a
commit
644b4b6131
1 changed files with 2 additions and 1 deletions
|
@ -111,7 +111,7 @@ static ssize_t ufs_qcom_dbg_testbus_cfg_write(struct file *file,
|
|||
loff_t *ppos)
|
||||
{
|
||||
struct ufs_qcom_host *host = file->f_mapping->host->i_private;
|
||||
char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {0};
|
||||
char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {'\0'};
|
||||
loff_t buff_pos = 0;
|
||||
char *comma;
|
||||
int ret = 0;
|
||||
|
@ -128,6 +128,7 @@ static ssize_t ufs_qcom_dbg_testbus_cfg_write(struct file *file,
|
|||
__func__);
|
||||
goto out;
|
||||
}
|
||||
configuration[ret] = '\0';
|
||||
|
||||
comma = strnchr(configuration, TESTBUS_CFG_BUFF_LINE_SIZE, ',');
|
||||
if (!comma || comma == configuration) {
|
||||
|
|
Loading…
Add table
Reference in a new issue