From 644b4b613154c7c5ebb3e9b91a1399e7526908f2 Mon Sep 17 00:00:00 2001 From: Sayali Lokhande Date: Thu, 5 Oct 2017 11:36:17 +0530 Subject: [PATCH] scsi: ufs: Fix stack overflow read in ufs debugfs driver When getting string from userspace by simple_write_to_buffer in ufs_qcom_dbg_testbus_cfg_write() function, the string copied to configuration is not terminated with '\0'. Thus stack overflow read may occur while copying configuration to host->testbus.select_major, which will result in information leak later while printing error message. This change adds null character at the end of the input string to avoid information leak. Change-Id: Ic9a9204def4bd6976f42f5f80ae5c0a9730afeb1 Signed-off-by: Sayali Lokhande --- drivers/scsi/ufs/ufs-qcom-debugfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/ufs/ufs-qcom-debugfs.c b/drivers/scsi/ufs/ufs-qcom-debugfs.c index da670c0e31fa..494ecd1c5f79 100644 --- a/drivers/scsi/ufs/ufs-qcom-debugfs.c +++ b/drivers/scsi/ufs/ufs-qcom-debugfs.c @@ -111,7 +111,7 @@ static ssize_t ufs_qcom_dbg_testbus_cfg_write(struct file *file, loff_t *ppos) { struct ufs_qcom_host *host = file->f_mapping->host->i_private; - char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {0}; + char configuration[TESTBUS_CFG_BUFF_LINE_SIZE] = {'\0'}; loff_t buff_pos = 0; char *comma; int ret = 0; @@ -128,6 +128,7 @@ static ssize_t ufs_qcom_dbg_testbus_cfg_write(struct file *file, __func__); goto out; } + configuration[ret] = '\0'; comma = strnchr(configuration, TESTBUS_CFG_BUFF_LINE_SIZE, ','); if (!comma || comma == configuration) {