From 47918a436fa424a5eb81afc6a9eae6ad91b8b366 Mon Sep 17 00:00:00 2001 From: Srinivas Girigowda Date: Wed, 1 Feb 2017 11:49:43 -0800 Subject: [PATCH] qcacld-2.0: Do not copy buffer to user-space if diag read fails ATH diag procfs read is copying read_buffer to user space unconditionally, causing kernel heap information leak of uninitialized read_buffer if hif diag read fails. Do not copy buffer to user space if diag read fails to avoid information leak to user space. Change-Id: I5e07cad4f90e5e9b3c461268b8fa3635c3128b9f CRs-Fixed: 1104731 Bug: 32074353 Signed-off-by: Srinivas Girigowda --- drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c index 7b653a1dd72c8..ed0cfd69d7228 100644 --- a/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c +++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/HIF/ath_procfs.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013 The Linux Foundation. All rights reserved. + * Copyright (c) 2013, 2016-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -110,17 +110,16 @@ static ssize_t ath_procfs_diag_read(struct file *file, char __user *buf, (A_UINT8 *)read_buffer, count); } + if (rv) + return -EIO; + if(copy_to_user(buf, read_buffer, count)) { vos_mem_free(read_buffer); return -EFAULT; } else vos_mem_free(read_buffer); - if (rv == 0) { - return count; - } else { - return -EIO; - } + return count; } static ssize_t ath_procfs_diag_write(struct file *file, const char __user *buf,