From 7326fffb712f09a315bc73cc1ee63843f59b8bd4 Mon Sep 17 00:00:00 2001 From: Alexander Usyskin Date: Sun, 17 Jan 2016 12:25:01 +0200 Subject: mei: validate request value in client notify request ioctl This patch address a possible security issue: The request field in client notify request ioctl comes from user space as u32 and is downcasted to u8 with out validation. Check request field to have approved values MEI_HBM_NOTIFICATION_STAR/STOP Cc: #4.3+ Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/main.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c index 677d0362f334..80f9afcb1382 100644 --- a/drivers/misc/mei/main.c +++ b/drivers/misc/mei/main.c @@ -458,7 +458,11 @@ static int mei_ioctl_client_notify_request(struct file *file, u32 request) { struct mei_cl *cl = file->private_data; - return mei_cl_notify_request(cl, file, request); + if (request != MEI_HBM_NOTIFICATION_START && + request != MEI_HBM_NOTIFICATION_STOP) + return -EINVAL; + + return mei_cl_notify_request(cl, file, (u8)request); } /** -- cgit v1.2.3 From 2f9ba5b2f8420e0e5712080dafc773f7dd47c3df Mon Sep 17 00:00:00 2001 From: Srinivas Kandagatla Date: Mon, 14 Dec 2015 09:42:38 +0000 Subject: nvmem: core: return error for non word aligned access nvmem providers have restrictions on register strides, so return error when users attempt to read/write buffers with sizes which are less than word size. Without this patch the userspace would continue to try as it does not get any error from the nvmem core, resulting in a hang or endless loop in userspace. Reported-by: Ariel D'Alessandro Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman --- drivers/nvmem/core.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index 6fd4e5a5ef4a..9d11d9837312 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -70,6 +70,9 @@ static ssize_t bin_attr_nvmem_read(struct file *filp, struct kobject *kobj, if (pos >= nvmem->size) return 0; + if (count < nvmem->word_size) + return -EINVAL; + if (pos + count > nvmem->size) count = nvmem->size - pos; @@ -95,6 +98,9 @@ static ssize_t bin_attr_nvmem_write(struct file *filp, struct kobject *kobj, if (pos >= nvmem->size) return 0; + if (count < nvmem->word_size) + return -EINVAL; + if (pos + count > nvmem->size) count = nvmem->size - pos; -- cgit v1.2.3 From 3b2b9ead32142b4cf55ea2793e5e4f7b63c04818 Mon Sep 17 00:00:00 2001 From: Stephen Boyd Date: Mon, 14 Dec 2015 09:42:57 +0000 Subject: nvmem: qfprom: Specify LE device endianness The qfprom is a little endian device, but so far we've been relying on the regmap mmio bus handling this for us without explicitly stating that fact. After commit 4a98da2164cf (regmap-mmio: Use native endianness for read/write, 2015-10-29), the regmap mmio bus will read/write with the __raw_*() IO accessors, instead of using the readl/writel() APIs that do proper byte swapping for little endian devices. So if we're running on a big endian processor and haven't specified the endianness explicitly in the regmap config or in DT, we're going to switch from doing little endian byte swapping to big endian accesses without byte swapping, leading to some confusing results. Specify the endianness explicitly so that the regmap core properly byte swaps the accesses for us. Cc: Rajendra Nayak Cc: Kevin Hilman Cc: Tyler Baker Cc: Simon Arlott Cc: Mark Brown Signed-off-by: Stephen Boyd Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman --- drivers/nvmem/qfprom.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/nvmem/qfprom.c b/drivers/nvmem/qfprom.c index afb67e7eeee4..3829e5fbf8c3 100644 --- a/drivers/nvmem/qfprom.c +++ b/drivers/nvmem/qfprom.c @@ -21,6 +21,7 @@ static struct regmap_config qfprom_regmap_config = { .reg_bits = 32, .val_bits = 8, .reg_stride = 1, + .val_format_endian = REGMAP_ENDIAN_LITTLE, }; static struct nvmem_config econfig = { -- cgit v1.2.3