Commit a01c7800 authored Dec 11, 2009 by H. Peter Anvin

nvram: Fix write beyond end condition; prove to gcc copy is safe



In nvram_write, first of all, correctly handle the case where the file
pointer is already beyond the end; we should return EOF in that case.

Second, make the logic a bit more explicit so that gcc can statically
prove that the copy_from_user() is safe.  Once the condition of the
beyond-end filepointer is eliminated, the copy is safe but gcc can't
prove it, causing build failures for i386 allyesconfig.

Third, eliminate the entirely superfluous variable "len", and just use
the passed-in variable "count" instead.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Arjan van de Ven <arjan@infradead.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Wim Van Sebroeck <wim@iguana.be>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
LKML-Reference: <tip-*@git.kernel.org>

parent b9255850

drivers/char/nvram.c

+10 −4

Original line number	Diff line number	Diff line
		@@ -264,10 +264,16 @@ static ssize_t nvram_write(struct file file, const char __user buf,
		unsigned char contents[NVRAM_BYTES];
		unsigned i = *ppos;
		unsigned char *tmp;
		int len;

		len = (NVRAM_BYTES - i) < count ? (NVRAM_BYTES - i) : count;
		if (copy_from_user(contents, buf, len))
		if (i >= NVRAM_BYTES)
		return 0; /* Past EOF */

		if (count > NVRAM_BYTES - i)
		count = NVRAM_BYTES - i;
		if (count > NVRAM_BYTES)
		return -EFAULT; /* Can't happen, but prove it to gcc */

		if (copy_from_user(contents, buf, count))
		return -EFAULT;

		spin_lock_irq(&rtc_lock);
		@@ -275,7 +281,7 @@ static ssize_t nvram_write(struct file file, const char __user buf,
		if (!__nvram_check_checksum())
		goto checksum_err;

		for (tmp = contents; count-- > 0 && i < NVRAM_BYTES; ++i, ++tmp)
		for (tmp = contents; count--; ++i, ++tmp)
		__nvram_write_byte(*tmp, i);

		__nvram_set_checksum();

Admin message