linux/drivers/misc/ibmasm/ibmasmfs.c
Jann Horn a0341fc198 ibmasm: don't write out of bounds in read handler
This read handler had a lot of custom logic and wrote outside the bounds of
the provided buffer. This could lead to kernel and userspace memory
corruption. Just use simple_read_from_buffer() with a stack buffer.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-07-07 09:59:35 +02:00

609 lines
14 KiB
C

/*
* IBM ASM Service Processor Device Driver
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* Copyright (C) IBM Corporation, 2004
*
* Author: Max Asböck <amax@us.ibm.com>
*
*/
/*
* Parts of this code are based on an article by Jonathan Corbet
* that appeared in Linux Weekly News.
*/
/*
* The IBMASM file virtual filesystem. It creates the following hierarchy
* dynamically when mounted from user space:
*
* /ibmasm
* |-- 0
* | |-- command
* | |-- event
* | |-- reverse_heartbeat
* | `-- remote_video
* | |-- depth
* | |-- height
* | `-- width
* .
* .
* .
* `-- n
* |-- command
* |-- event
* |-- reverse_heartbeat
* `-- remote_video
* |-- depth
* |-- height
* `-- width
*
* For each service processor the following files are created:
*
* command: execute dot commands
* write: execute a dot command on the service processor
* read: return the result of a previously executed dot command
*
* events: listen for service processor events
* read: sleep (interruptible) until an event occurs
* write: wakeup sleeping event listener
*
* reverse_heartbeat: send a heartbeat to the service processor
* read: sleep (interruptible) until the reverse heartbeat fails
* write: wakeup sleeping heartbeat listener
*
* remote_video/width
* remote_video/height
* remote_video/width: control remote display settings
* write: set value
* read: read value
*/
#include <linux/fs.h>
#include <linux/pagemap.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
#include <asm/io.h>
#include "ibmasm.h"
#include "remote.h"
#include "dot_command.h"
#define IBMASMFS_MAGIC 0x66726f67
static LIST_HEAD(service_processors);
static struct inode *ibmasmfs_make_inode(struct super_block *sb, int mode);
static void ibmasmfs_create_files (struct super_block *sb);
static int ibmasmfs_fill_super (struct super_block *sb, void *data, int silent);
static struct dentry *ibmasmfs_mount(struct file_system_type *fst,
int flags, const char *name, void *data)
{
return mount_single(fst, flags, data, ibmasmfs_fill_super);
}
static const struct super_operations ibmasmfs_s_ops = {
.statfs = simple_statfs,
.drop_inode = generic_delete_inode,
};
static const struct file_operations *ibmasmfs_dir_ops = &simple_dir_operations;
static struct file_system_type ibmasmfs_type = {
.owner = THIS_MODULE,
.name = "ibmasmfs",
.mount = ibmasmfs_mount,
.kill_sb = kill_litter_super,
};
MODULE_ALIAS_FS("ibmasmfs");
static int ibmasmfs_fill_super (struct super_block *sb, void *data, int silent)
{
struct inode *root;
sb->s_blocksize = PAGE_SIZE;
sb->s_blocksize_bits = PAGE_SHIFT;
sb->s_magic = IBMASMFS_MAGIC;
sb->s_op = &ibmasmfs_s_ops;
sb->s_time_gran = 1;
root = ibmasmfs_make_inode (sb, S_IFDIR | 0500);
if (!root)
return -ENOMEM;
root->i_op = &simple_dir_inode_operations;
root->i_fop = ibmasmfs_dir_ops;
sb->s_root = d_make_root(root);
if (!sb->s_root)
return -ENOMEM;
ibmasmfs_create_files(sb);
return 0;
}
static struct inode *ibmasmfs_make_inode(struct super_block *sb, int mode)
{
struct inode *ret = new_inode(sb);
if (ret) {
ret->i_ino = get_next_ino();
ret->i_mode = mode;
ret->i_atime = ret->i_mtime = ret->i_ctime = current_time(ret);
}
return ret;
}
static struct dentry *ibmasmfs_create_file(struct dentry *parent,
const char *name,
const struct file_operations *fops,
void *data,
int mode)
{
struct dentry *dentry;
struct inode *inode;
dentry = d_alloc_name(parent, name);
if (!dentry)
return NULL;
inode = ibmasmfs_make_inode(parent->d_sb, S_IFREG | mode);
if (!inode) {
dput(dentry);
return NULL;
}
inode->i_fop = fops;
inode->i_private = data;
d_add(dentry, inode);
return dentry;
}
static struct dentry *ibmasmfs_create_dir(struct dentry *parent,
const char *name)
{
struct dentry *dentry;
struct inode *inode;
dentry = d_alloc_name(parent, name);
if (!dentry)
return NULL;
inode = ibmasmfs_make_inode(parent->d_sb, S_IFDIR | 0500);
if (!inode) {
dput(dentry);
return NULL;
}
inode->i_op = &simple_dir_inode_operations;
inode->i_fop = ibmasmfs_dir_ops;
d_add(dentry, inode);
return dentry;
}
int ibmasmfs_register(void)
{
return register_filesystem(&ibmasmfs_type);
}
void ibmasmfs_unregister(void)
{
unregister_filesystem(&ibmasmfs_type);
}
void ibmasmfs_add_sp(struct service_processor *sp)
{
list_add(&sp->node, &service_processors);
}
/* struct to save state between command file operations */
struct ibmasmfs_command_data {
struct service_processor *sp;
struct command *command;
};
/* struct to save state between event file operations */
struct ibmasmfs_event_data {
struct service_processor *sp;
struct event_reader reader;
int active;
};
/* struct to save state between reverse heartbeat file operations */
struct ibmasmfs_heartbeat_data {
struct service_processor *sp;
struct reverse_heartbeat heartbeat;
int active;
};
static int command_file_open(struct inode *inode, struct file *file)
{
struct ibmasmfs_command_data *command_data;
if (!inode->i_private)
return -ENODEV;
command_data = kmalloc(sizeof(struct ibmasmfs_command_data), GFP_KERNEL);
if (!command_data)
return -ENOMEM;
command_data->command = NULL;
command_data->sp = inode->i_private;
file->private_data = command_data;
return 0;
}
static int command_file_close(struct inode *inode, struct file *file)
{
struct ibmasmfs_command_data *command_data = file->private_data;
if (command_data->command)
command_put(command_data->command);
kfree(command_data);
return 0;
}
static ssize_t command_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
{
struct ibmasmfs_command_data *command_data = file->private_data;
struct command *cmd;
int len;
unsigned long flags;
if (*offset < 0)
return -EINVAL;
if (count == 0 || count > IBMASM_CMD_MAX_BUFFER_SIZE)
return 0;
if (*offset != 0)
return 0;
spin_lock_irqsave(&command_data->sp->lock, flags);
cmd = command_data->command;
if (cmd == NULL) {
spin_unlock_irqrestore(&command_data->sp->lock, flags);
return 0;
}
command_data->command = NULL;
spin_unlock_irqrestore(&command_data->sp->lock, flags);
if (cmd->status != IBMASM_CMD_COMPLETE) {
command_put(cmd);
return -EIO;
}
len = min(count, cmd->buffer_size);
if (copy_to_user(buf, cmd->buffer, len)) {
command_put(cmd);
return -EFAULT;
}
command_put(cmd);
return len;
}
static ssize_t command_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
{
struct ibmasmfs_command_data *command_data = file->private_data;
struct command *cmd;
unsigned long flags;
if (*offset < 0)
return -EINVAL;
if (count == 0 || count > IBMASM_CMD_MAX_BUFFER_SIZE)
return 0;
if (*offset != 0)
return 0;
/* commands are executed sequentially, only one command at a time */
if (command_data->command)
return -EAGAIN;
cmd = ibmasm_new_command(command_data->sp, count);
if (!cmd)
return -ENOMEM;
if (copy_from_user(cmd->buffer, ubuff, count)) {
command_put(cmd);
return -EFAULT;
}
spin_lock_irqsave(&command_data->sp->lock, flags);
if (command_data->command) {
spin_unlock_irqrestore(&command_data->sp->lock, flags);
command_put(cmd);
return -EAGAIN;
}
command_data->command = cmd;
spin_unlock_irqrestore(&command_data->sp->lock, flags);
ibmasm_exec_command(command_data->sp, cmd);
ibmasm_wait_for_response(cmd, get_dot_command_timeout(cmd->buffer));
return count;
}
static int event_file_open(struct inode *inode, struct file *file)
{
struct ibmasmfs_event_data *event_data;
struct service_processor *sp;
if (!inode->i_private)
return -ENODEV;
sp = inode->i_private;
event_data = kmalloc(sizeof(struct ibmasmfs_event_data), GFP_KERNEL);
if (!event_data)
return -ENOMEM;
ibmasm_event_reader_register(sp, &event_data->reader);
event_data->sp = sp;
event_data->active = 0;
file->private_data = event_data;
return 0;
}
static int event_file_close(struct inode *inode, struct file *file)
{
struct ibmasmfs_event_data *event_data = file->private_data;
ibmasm_event_reader_unregister(event_data->sp, &event_data->reader);
kfree(event_data);
return 0;
}
static ssize_t event_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
{
struct ibmasmfs_event_data *event_data = file->private_data;
struct event_reader *reader = &event_data->reader;
struct service_processor *sp = event_data->sp;
int ret;
unsigned long flags;
if (*offset < 0)
return -EINVAL;
if (count == 0 || count > IBMASM_EVENT_MAX_SIZE)
return 0;
if (*offset != 0)
return 0;
spin_lock_irqsave(&sp->lock, flags);
if (event_data->active) {
spin_unlock_irqrestore(&sp->lock, flags);
return -EBUSY;
}
event_data->active = 1;
spin_unlock_irqrestore(&sp->lock, flags);
ret = ibmasm_get_next_event(sp, reader);
if (ret <= 0)
goto out;
if (count < reader->data_size) {
ret = -EINVAL;
goto out;
}
if (copy_to_user(buf, reader->data, reader->data_size)) {
ret = -EFAULT;
goto out;
}
ret = reader->data_size;
out:
event_data->active = 0;
return ret;
}
static ssize_t event_file_write(struct file *file, const char __user *buf, size_t count, loff_t *offset)
{
struct ibmasmfs_event_data *event_data = file->private_data;
if (*offset < 0)
return -EINVAL;
if (count != 1)
return 0;
if (*offset != 0)
return 0;
ibmasm_cancel_next_event(&event_data->reader);
return 0;
}
static int r_heartbeat_file_open(struct inode *inode, struct file *file)
{
struct ibmasmfs_heartbeat_data *rhbeat;
if (!inode->i_private)
return -ENODEV;
rhbeat = kmalloc(sizeof(struct ibmasmfs_heartbeat_data), GFP_KERNEL);
if (!rhbeat)
return -ENOMEM;
rhbeat->sp = inode->i_private;
rhbeat->active = 0;
ibmasm_init_reverse_heartbeat(rhbeat->sp, &rhbeat->heartbeat);
file->private_data = rhbeat;
return 0;
}
static int r_heartbeat_file_close(struct inode *inode, struct file *file)
{
struct ibmasmfs_heartbeat_data *rhbeat = file->private_data;
kfree(rhbeat);
return 0;
}
static ssize_t r_heartbeat_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
{
struct ibmasmfs_heartbeat_data *rhbeat = file->private_data;
unsigned long flags;
int result;
if (*offset < 0)
return -EINVAL;
if (count == 0 || count > 1024)
return 0;
if (*offset != 0)
return 0;
/* allow only one reverse heartbeat per process */
spin_lock_irqsave(&rhbeat->sp->lock, flags);
if (rhbeat->active) {
spin_unlock_irqrestore(&rhbeat->sp->lock, flags);
return -EBUSY;
}
rhbeat->active = 1;
spin_unlock_irqrestore(&rhbeat->sp->lock, flags);
result = ibmasm_start_reverse_heartbeat(rhbeat->sp, &rhbeat->heartbeat);
rhbeat->active = 0;
return result;
}
static ssize_t r_heartbeat_file_write(struct file *file, const char __user *buf, size_t count, loff_t *offset)
{
struct ibmasmfs_heartbeat_data *rhbeat = file->private_data;
if (*offset < 0)
return -EINVAL;
if (count != 1)
return 0;
if (*offset != 0)
return 0;
if (rhbeat->active)
ibmasm_stop_reverse_heartbeat(&rhbeat->heartbeat);
return 1;
}
static int remote_settings_file_close(struct inode *inode, struct file *file)
{
return 0;
}
static ssize_t remote_settings_file_read(struct file *file, char __user *buf, size_t count, loff_t *offset)
{
void __iomem *address = (void __iomem *)file->private_data;
int len = 0;
unsigned int value;
char lbuf[20];
value = readl(address);
len = snprintf(lbuf, sizeof(lbuf), "%d\n", value);
return simple_read_from_buffer(buf, count, offset, lbuf, len);
}
static ssize_t remote_settings_file_write(struct file *file, const char __user *ubuff, size_t count, loff_t *offset)
{
void __iomem *address = (void __iomem *)file->private_data;
char *buff;
unsigned int value;
if (*offset < 0)
return -EINVAL;
if (count == 0 || count > 1024)
return 0;
if (*offset != 0)
return 0;
buff = kzalloc (count + 1, GFP_KERNEL);
if (!buff)
return -ENOMEM;
if (copy_from_user(buff, ubuff, count)) {
kfree(buff);
return -EFAULT;
}
value = simple_strtoul(buff, NULL, 10);
writel(value, address);
kfree(buff);
return count;
}
static const struct file_operations command_fops = {
.open = command_file_open,
.release = command_file_close,
.read = command_file_read,
.write = command_file_write,
.llseek = generic_file_llseek,
};
static const struct file_operations event_fops = {
.open = event_file_open,
.release = event_file_close,
.read = event_file_read,
.write = event_file_write,
.llseek = generic_file_llseek,
};
static const struct file_operations r_heartbeat_fops = {
.open = r_heartbeat_file_open,
.release = r_heartbeat_file_close,
.read = r_heartbeat_file_read,
.write = r_heartbeat_file_write,
.llseek = generic_file_llseek,
};
static const struct file_operations remote_settings_fops = {
.open = simple_open,
.release = remote_settings_file_close,
.read = remote_settings_file_read,
.write = remote_settings_file_write,
.llseek = generic_file_llseek,
};
static void ibmasmfs_create_files (struct super_block *sb)
{
struct list_head *entry;
struct service_processor *sp;
list_for_each(entry, &service_processors) {
struct dentry *dir;
struct dentry *remote_dir;
sp = list_entry(entry, struct service_processor, node);
dir = ibmasmfs_create_dir(sb->s_root, sp->dirname);
if (!dir)
continue;
ibmasmfs_create_file(dir, "command", &command_fops, sp, S_IRUSR|S_IWUSR);
ibmasmfs_create_file(dir, "event", &event_fops, sp, S_IRUSR|S_IWUSR);
ibmasmfs_create_file(dir, "reverse_heartbeat", &r_heartbeat_fops, sp, S_IRUSR|S_IWUSR);
remote_dir = ibmasmfs_create_dir(dir, "remote_video");
if (!remote_dir)
continue;
ibmasmfs_create_file(remote_dir, "width", &remote_settings_fops, (void *)display_width(sp), S_IRUSR|S_IWUSR);
ibmasmfs_create_file(remote_dir, "height", &remote_settings_fops, (void *)display_height(sp), S_IRUSR|S_IWUSR);
ibmasmfs_create_file(remote_dir, "depth", &remote_settings_fops, (void *)display_depth(sp), S_IRUSR|S_IWUSR);
}
}