24 Mar
2021
24 Mar
'21
2:29 p.m.
From: Xue <xuechaojing(a)huawei.com>
commit 4ae59ffabe113fea082d925f864ccfb2be5925fc openEuler-1.0
driver inclusion
category:bugfix
bugzilla:4472
CVE:NA
------------------------------------------------------------------------
This patch fix add security check in hinic.
Reviewed-by: chiqijun <chiqijun(a)huawei.com>
Signed-off-by: Wu Like <wulike1(a)huawei.com>
Signed-off-by: Xue <xuechaojing(a)huawei.com>
Reviewed-by: Xie XiuQi <xiexiuqi(a)huawei.com>
Signed-off-by: Xie XiuQi <xiexiuqi(a)huawei.com>
Signed-off-by: Xin Hao <haoxing990(a)gmail.com>
---
.../ethernet/huawei/hinic/hinic_dbgtool_knl.c | 8 +++++++-
.../net/ethernet/huawei/hinic/hinic_nictool.c | 17 +++++++++--------
2 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/huawei/hinic/hinic_dbgtool_knl.c
b/drivers/net/ethernet/huawei/hinic/hinic_dbgtool_knl.c
index 027fb019677f..f65892c6273f 100644
--- a/drivers/net/ethernet/huawei/hinic/hinic_dbgtool_knl.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_dbgtool_knl.c
@@ -513,8 +513,12 @@ long dbgtool_knl_free_mem(int id)
unsigned char *tmp;
int i;
- if (!g_card_vir_addr[id])
+ mutex_lock(&g_addr_lock);
+
+ if (!g_card_vir_addr[id]) {
+ mutex_unlock(&g_addr_lock);
return 0;
+ }
tmp = g_card_vir_addr[id];
for (i = 0; i < (1 << DBGTOOL_PAGE_ORDER); i++) {
@@ -526,6 +530,8 @@ long dbgtool_knl_free_mem(int id)
g_card_vir_addr[id] = NULL;
g_card_phy_addr[id] = 0;
+ mutex_unlock(&g_addr_lock);
+
return 0;
}
diff --git a/drivers/net/ethernet/huawei/hinic/hinic_nictool.c
b/drivers/net/ethernet/huawei/hinic/hinic_nictool.c
index 936c1e5115e9..2539b7524612 100644
--- a/drivers/net/ethernet/huawei/hinic/hinic_nictool.c
+++ b/drivers/net/ethernet/huawei/hinic/hinic_nictool.c
@@ -1087,8 +1087,7 @@ static int get_pf_dev_info(char *dev_name, struct msg_module
*nt_msg)
card_info->func_handle_array);
/* Copy the dev_info to user mode*/
- if (copy_to_user(nt_msg->out_buf, dev_info,
- nt_msg->lenInfo.inBuffLen)) {
+ if (copy_to_user(nt_msg->out_buf, dev_info, sizeof(dev_info))) {
pr_err("Copy dev_info to user fail\n");
return -EFAULT;
}
@@ -1672,7 +1671,6 @@ static int get_self_test_cmd(struct msg_module *nt_msg)
{
int ret;
u32 res = 0;
- u32 out_size_expect = nt_msg->lenInfo.outBuffLen;
ret = hinic_get_self_test_result(nt_msg->device_name, &res);
if (ret) {
@@ -1680,7 +1678,7 @@ static int get_self_test_cmd(struct msg_module *nt_msg)
return -EFAULT;
}
- ret = copy_buf_out_to_user(nt_msg, out_size_expect, &res);
+ ret = copy_buf_out_to_user(nt_msg, sizeof(res), &res);
if (ret)
pr_err("%s:%d:: Copy to user failed\n", __func__, __LINE__);
@@ -1689,16 +1687,16 @@ static int get_self_test_cmd(struct msg_module *nt_msg)
static int get_all_chip_id_cmd(struct msg_module *nt_msg)
{
- int ret = 0;
- u32 out_size_expect = nt_msg->lenInfo.outBuffLen;
struct nic_card_id card_id;
hinic_get_all_chip_id((void *)&card_id);
- if (copy_to_user(nt_msg->out_buf, &card_id, out_size_expect))
+ if (copy_to_user(nt_msg->out_buf, &card_id, sizeof(card_id))) {
pr_err("Copy chip id to user failed\n");
+ return -EFAULT;
+ }
- return ret;
+ return 0;
}
int nic_ioctl(void *uld_dev, u32 cmd, void *buf_in,
@@ -1908,6 +1906,9 @@ static long nictool_k_unlocked_ioctl(struct file *pfile,
return -EFAULT;
}
+ /* end with '\0' */
+ nt_msg.device_name[IFNAMSIZ - 1] = '\0';
+
cmd_raw = nt_msg.module;
out_size_expect = nt_msg.lenInfo.outBuffLen;
--
2.31.0