From: Dan Carpenter Date: Wed, 21 Apr 2021 15:19:27 +0000 (+0300) Subject: platform/x86: intel_pmc_core: Uninitialized data in pmc_core_lpm_latch_mode_write() X-Git-Url: http://git.osdn.net/view?a=commitdiff_plain;h=37bd59d3cef8e90055dc26e25d9aba00f06f5f9f;p=uclinux-h8%2Flinux.git platform/x86: intel_pmc_core: Uninitialized data in pmc_core_lpm_latch_mode_write() The simple_write_to_buffer() can return success if even a single byte is copied from user space. In this case it can result in using uninitalized data if the buf[] array is not fully initialized. Really we should only succeed if the whole buffer is copied. Just using copy_from_user() is simpler and more appropriate. Fixes: 8074a79fad2e ("platform/x86: intel_pmc_core: Add option to set/clear LPM mode") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YIBCf+G9Ef8wrGJw@mwanda Signed-off-by: Hans de Goede --- diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c index d174aeb492e0..b0e486a6bdfb 100644 --- a/drivers/platform/x86/intel_pmc_core.c +++ b/drivers/platform/x86/intel_pmc_core.c @@ -1360,17 +1360,13 @@ static ssize_t pmc_core_lpm_latch_mode_write(struct file *file, struct pmc_dev *pmcdev = s->private; bool clear = false, c10 = false; unsigned char buf[8]; - ssize_t ret; int idx, m, mode; u32 reg; if (count > sizeof(buf) - 1) return -EINVAL; - - ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count); - if (ret < 0) - return ret; - + if (copy_from_user(buf, userbuf, count)) + return -EFAULT; buf[count] = '\0'; /*