From 433b7cd1e702b0918ef90cbf06c3da24313625d2 Mon Sep 17 00:00:00 2001

From: Johan Hovold <johan@kernel.org>

Date: Wed, 1 Dec 2021 14:25:27 +0100

Subject: [PATCH] firmware: qemu_fw_cfg: fix sysfs information leak

Git-commit: 433b7cd1e702b0918ef90cbf06c3da24313625d2

Alt-commit: 1b656e9aad7f4886ed466094d1dc5ee4dd900d20

Patch-mainline: v5.17-rc1

References: git-fixes

Make sure to always NUL-terminate file names retrieved from the firmware

to avoid accessing data beyond the entry slab buffer and exposing it

through sysfs in case the firmware data is corrupt.

Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")

Cc: stable@vger.kernel.org      # 4.6

Cc: Gabriel Somlo <somlo@cmu.edu>

Signed-off-by: Johan Hovold <johan@kernel.org>

Link: https://lore.kernel.org/r/20211201132528.30025-4-johan@kernel.org

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/firmware/qemu_fw_cfg.c | 2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c

index ccb7ed62452f..f08e056ed0ae 100644

--- a/drivers/firmware/qemu_fw_cfg.c

+++ b/drivers/firmware/qemu_fw_cfg.c

@@ -598,7 +598,7 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f)

 	/* set file entry information */

 	entry->size = be32_to_cpu(f->size);

 	entry->select = be16_to_cpu(f->select);

-	memcpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH);

+	strscpy(entry->name, f->name, FW_CFG_MAX_FILE_PATH);

 	/* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */

 	err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,

-- 

2.31.1