[PATCH] bus: moxtet: uninitialized data in output_write()

[Dan Carpenter]

This doesn't check the return from simple_write_to_buffer() to see how
many bytes were initialized.  The only thing we can say for sure is that
the first byte is initialized.

There is no need to use the simple_write_to_buffer() function because
partial writes are not supported.  Even if the user passes in a
different value for *ppos, we still use dummy = 0 as the starting point.
So replace the simple_write_to_buffer() with copy_from_user().  I
added a check for if (*ppos != 0) so that it's more clear that
partial writes are not supported.

Fixes: 5bc7f990cd98 ("bus: Add support for Moxtet bus")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
The simple_write_to_buffer() is not simple at all and creates a lot of
bugs, but the nice thing about it is that it takes "sizeof(hex)" as
an argument.

However, the "len > 2 * moxtet->count + 1" means that we can't overflow.
And if moxtet->count were wrong it would lead to issues later anyway.

 drivers/bus/moxtet.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/bus/moxtet.c b/drivers/bus/moxtet.c
index 5eb0fe73ddc4..42453518400a 100644
--- a/drivers/bus/moxtet.c
+++ b/drivers/bus/moxtet.c
@@ -513,16 +513,16 @@ static ssize_t output_write(struct file *file, const char __user *buf,
 	struct moxtet *moxtet = file->private_data;
 	u8 bin[TURRIS_MOX_MAX_MODULES];
 	u8 hex[sizeof(bin) * 2 + 1];
-	ssize_t res;
-	loff_t dummy = 0;
 	int err, i;
 
+	if (*ppos != 0)
+		return -EINVAL;
+
 	if (len > 2 * moxtet->count + 1 || len < 2 * moxtet->count)
 		return -EINVAL;
 
-	res = simple_write_to_buffer(hex, sizeof(hex), &dummy, buf, len);
-	if (res < 0)
-		return res;
+	if (copy_from_user(hex, buf, len))
+		return -EFAULT;
 
 	if (len % 2 == 1 && hex[len - 1] != '\n')
 		return -EINVAL;
-- 
2.39.2