summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorH. Peter Anvin <hpa@zytor.com>2009-12-11 15:48:23 -0800
committerH. Peter Anvin <hpa@zytor.com>2009-12-11 15:48:23 -0800
commita01c7800420d2c294ca403988488a635d4087a6d (patch)
treea0a5eeb436a297dffead2dfbccbb0ad3013aa7d1
parentb925585039cf39275c2e0e57512e5df27fa73aad (diff)
downloadkernel-crypto-a01c7800420d2c294ca403988488a635d4087a6d.tar.gz
kernel-crypto-a01c7800420d2c294ca403988488a635d4087a6d.tar.xz
kernel-crypto-a01c7800420d2c294ca403988488a635d4087a6d.zip
nvram: Fix write beyond end condition; prove to gcc copy is safe
In nvram_write, first of all, correctly handle the case where the file pointer is already beyond the end; we should return EOF in that case. Second, make the logic a bit more explicit so that gcc can statically prove that the copy_from_user() is safe. Once the condition of the beyond-end filepointer is eliminated, the copy is safe but gcc can't prove it, causing build failures for i386 allyesconfig. Third, eliminate the entirely superfluous variable "len", and just use the passed-in variable "count" instead. Signed-off-by: H. Peter Anvin <hpa@zytor.com> Cc: Arjan van de Ven <arjan@infradead.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Wim Van Sebroeck <wim@iguana.be> Cc: Frederic Weisbecker <fweisbec@gmail.com> LKML-Reference: <tip-*@git.kernel.org>
-rw-r--r--drivers/char/nvram.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
index 4008e2ce73c..fdbcc9fd6d3 100644
--- a/drivers/char/nvram.c
+++ b/drivers/char/nvram.c
@@ -264,10 +264,16 @@ static ssize_t nvram_write(struct file *file, const char __user *buf,
unsigned char contents[NVRAM_BYTES];
unsigned i = *ppos;
unsigned char *tmp;
- int len;
- len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
- if (copy_from_user(contents, buf, len))
+ if (i >= NVRAM_BYTES)
+ return 0; /* Past EOF */
+
+ if (count > NVRAM_BYTES - i)
+ count = NVRAM_BYTES - i;
+ if (count > NVRAM_BYTES)
+ return -EFAULT; /* Can't happen, but prove it to gcc */
+
+ if (copy_from_user(contents, buf, count))
return -EFAULT;
spin_lock_irq(&rtc_lock);
@@ -275,7 +281,7 @@ static ssize_t nvram_write(struct file *file, const char __user *buf,
if (!__nvram_check_checksum())
goto checksum_err;
- for (tmp = contents; count-- > 0 && i < NVRAM_BYTES; ++i, ++tmp)
+ for (tmp = contents; count--; ++i, ++tmp)
__nvram_write_byte(*tmp, i);
__nvram_set_checksum();