hwrng: core - Add WARN_ON for buggy read return values

If a buggy driver returns a length that is longer than the size of the buffer provided to it, then this may lead to a buffer overread in the caller. Stop this by adding a check for it in the hwrng core. Reported-by: Guangwu Zhang <guazhang@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
author: Herbert Xu <herbert@gondor.apana.org.au> 2024-09-23 14:05:52 +0800
committer: Herbert Xu <herbert@gondor.apana.org.au> 2024-10-05 13:22:05 +0800
commit: fb10c7a84661471cdcc8998d63703211b873c126 (patch)
tree: 510276d63537634d6c238b4c8d62832ce6e0be9a
parent: 98091a826873bc5c114455f474121b67907e98ab (diff)
download: lwn-fb10c7a84661471cdcc8998d63703211b873c126.tar.gz
lwn-fb10c7a84661471cdcc8998d63703211b873c126.zip
1 files changed, 9 insertions, 2 deletions
diff --git a/drivers/char/hw_random/core.c b/drivers/char/hw_random/core.c
index 57c51efa5613..018316f54621 100644
--- a/drivers/char/hw_random/core.c
+++ b/drivers/char/hw_random/core.c
@@ -181,8 +181,15 @@ static inline int rng_get_data(struct hwrng *rng, u8 *buffer, size_t size,
 	int present;
 
 	BUG_ON(!mutex_is_locked(&reading_mutex));
-	if (rng->read)
-		return rng->read(rng, (void *)buffer, size, wait);
+	if (rng->read) {
+		int err;
+
+		err = rng->read(rng, buffer, size, wait);
+		if (WARN_ON_ONCE(err > 0 && err > size))
+			err = size;
+
+		return err;
+	}
 
 	if (rng->data_present)
 		present = rng->data_present(rng, wait);
author	Herbert Xu <herbert@gondor.apana.org.au>	2024-09-23 14:05:52 +0800
committer	Herbert Xu <herbert@gondor.apana.org.au>	2024-10-05 13:22:05 +0800
commit	fb10c7a84661471cdcc8998d63703211b873c126 (patch)
tree	510276d63537634d6c238b4c8d62832ce6e0be9a
parent	98091a826873bc5c114455f474121b67907e98ab (diff)
download	lwn-fb10c7a84661471cdcc8998d63703211b873c126.tar.gz lwn-fb10c7a84661471cdcc8998d63703211b873c126.zip