From patchwork Mon May 5 08:13:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ivan Stepchenko X-Patchwork-Id: 887681 Received: from forward203b.mail.yandex.net (forward203b.mail.yandex.net [178.154.239.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 435531E7C24; Mon, 5 May 2025 08:21:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=178.154.239.154 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746433275; cv=none; b=XWvBMKfZh7sc4AkabpfhgvkKumNv7kADeIsQ3VI4Y06mmzet6EGaV8RoiXqzSWLS7cnn1E5uqD+eGxpdURq9px2GPsGFVdHCqeB4c4Q8wCA3MSGz5jQrhqC7QRgA5dITD/i6vBHfgyNGT7d/gdiaHhS0ZxKsoYWa+FDmfK2hpaE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1746433275; c=relaxed/simple; bh=Ubx4IIN/jFj2W5sWJUDmRo/Czw/KW+u7tWQC4o0VLwY=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=o/Ct77WSrQIKl10tor2Eat6HFEmXtNoHCteJXa1gutj7Hne/2e6kJDy+1Z25E4Ho9SSDe9pyWY/rhMpByWwOjVV4qCO3Ng3trr+USSQeaU1VAfJMWBviGGJs8NnxZBotH6g9v4/89PyEfX8lsPp+zxIdIwQwF8rlR5z+HM6ARNE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=itb.spb.ru; spf=pass smtp.mailfrom=itb.spb.ru; dkim=pass (1024-bit key) header.d=itb.spb.ru header.i=@itb.spb.ru header.b=iov0e4Xg; arc=none smtp.client-ip=178.154.239.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=itb.spb.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=itb.spb.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=itb.spb.ru header.i=@itb.spb.ru header.b="iov0e4Xg" Received: from forward100b.mail.yandex.net (forward100b.mail.yandex.net [IPv6:2a02:6b8:c02:900:1:45:d181:d100]) by forward203b.mail.yandex.net (Yandex) with ESMTPS id F048A63213; Mon, 5 May 2025 11:14:26 +0300 (MSK) Received: from mail-nwsmtp-smtp-production-main-88.iva.yp-c.yandex.net (mail-nwsmtp-smtp-production-main-88.iva.yp-c.yandex.net [IPv6:2a02:6b8:c0c:2e20:0:640:2132:0]) by forward100b.mail.yandex.net (Yandex) with ESMTPS id 5338F60B29; Mon, 5 May 2025 11:14:18 +0300 (MSK) Received: by mail-nwsmtp-smtp-production-main-88.iva.yp-c.yandex.net (smtp/Yandex) with ESMTPSA id xDW2KY8LZqM0-B44wJ027; Mon, 05 May 2025 11:14:17 +0300 X-Yandex-Fwd: 1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=itb.spb.ru; s=mail; t=1746432857; bh=HuQQ0othjGHwBJR53YINjZq8Dpvlg0YbKAb0yWqBg2c=; h=Message-Id:Date:Cc:Subject:To:From; b=iov0e4Xg6B+R6tH1qs104OemT08iTHa6qu1rWMFZwuSe6F7FLA6t5MEA2UHnny8Dt YCUIlKypQUD2wrty3CmL3SL7k0KI7wYOe68zzs3679vsGMsGNfmgS02JXsnqc132yQ fCCZRNEqJltC5cGpQyRmLF4cpdQx2ouK2kR9wsC0= Authentication-Results: mail-nwsmtp-smtp-production-main-88.iva.yp-c.yandex.net; dkim=pass header.i=@itb.spb.ru From: Ivan Stepchenko To: Lee Jones Cc: Ivan Stepchenko , Pavel Machek , David Lechner , Jacek Anaszewski , linux-leds@vger.kernel.org, linux-kernel@vger.kernel.org, lvc-project@linuxtesting.org Subject: [PATCH] leds: uleds: fix unchecked copy_to_user() in uleds_read() Date: Mon, 5 May 2025 11:13:42 +0300 Message-Id: <20250505081342.3855-1-sid@itb.spb.ru> X-Mailer: git-send-email 2.39.5 Precedence: bulk X-Mailing-List: linux-leds@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 The copy_to_user() is annotated with __must_check, indicating that its return value must be checked by the caller. Currently, uleds_read() ignores it. If the userspace buffer is invalid and copy_to_user() fails, the userspace application may assume it has received fresh data, while in fact copying has failed. This can leave applications out of sync with the actual device state. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e381322b0190 ("leds: Introduce userspace LED class driver") Signed-off-by: Ivan Stepchenko --- drivers/leds/uleds.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/leds/uleds.c b/drivers/leds/uleds.c index 374a841f18c3..41bfce43136c 100644 --- a/drivers/leds/uleds.c +++ b/drivers/leds/uleds.c @@ -147,10 +147,13 @@ static ssize_t uleds_read(struct file *file, char __user *buffer, size_t count, } else if (!udev->new_data && (file->f_flags & O_NONBLOCK)) { retval = -EAGAIN; } else if (udev->new_data) { - retval = copy_to_user(buffer, &udev->brightness, - sizeof(udev->brightness)); - udev->new_data = false; - retval = sizeof(udev->brightness); + if (copy_to_user(buffer, &udev->brightness, + sizeof(udev->brightness))) { + retval = -EFAULT; + } else { + udev->new_data = false; + retval = sizeof(udev->brightness); + } } mutex_unlock(&udev->mutex);