linux-stable.git/drivers/platform/chrome/cros_ec_dev.c, branch linux-4.9.y Linux kernel stable tree platform/chrome: cros_ec_dev - double fetch bug in ioctl 2016-07-05T21:01:52+00:00 Dan Carpenter dan.carpenter@oracle.com 2016-06-21T13:58:46+00:00 096cdc6f52225835ff503f987a0d68ef770bb78e We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure that those values have not changed between the two copy_from_user() calls. Otherwise it could lead to a buffer overflow. Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value. We should use the new smaller value so we don't copy too much data to the user. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Kees Cook <keescook@chromium.org> Tested-by: Gwendal Grignou <gwendal@chromium.org> Cc: <stable@vger.kernel.org> # v4.2+ Signed-off-by: Olof Johansson <olof@lixom.net> 
We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure
that those values have not changed between the two copy_from_user()
calls.  Otherwise it could lead to a buffer overflow.

Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value.
We should use the new smaller value so we don't copy too much data to
the user.

Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Fixes: a841178445bb ('mfd: cros_ec: Use a zero-length array for command data')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Tested-by: Gwendal Grignou <gwendal@chromium.org>
Cc: <stable@vger.kernel.org> # v4.2+
Signed-off-by: Olof Johansson <olof@lixom.net>
platform/chrome: cros_ec_dev - Populate compat_ioctl 2016-05-11T18:55:48+00:00 Guenter Roeck linux@roeck-us.net 2016-04-15T02:35:29+00:00 2521ea3e0d1b285cea371a38772d3eefa0490c71 compat_ioctl has to be populated for 32 bit userspace applications to work with 64 bit kernels. Signed-off-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Olof Johansson <olof@lixom.net> 
compat_ioctl has to be populated for 32 bit userspace applications to work
with 64 bit kernels.

Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
platform/chrome: cros_ec_dev - Fix security issue 2016-05-11T18:55:47+00:00 Gwendal Grignou gwendal@chromium.org 2016-03-08T17:13:52+00:00 5d749d0bbe811c10d9048cde6dfebc761713abfd Prevent memory scribble by checking that ioctl buffer size parameters are sane. Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and .outsize the amount to scribble, we would overflow, allocate a small amounts and be able to write outside of the malloc'ed area. Adding a hard limit allows argument checking of the ioctl. With the current EC, it is expected .insize and .outsize to be at around 512 bytes or less. Signed-off-by: Gwendal Grignou <gwendal@chromium.org> Signed-off-by: Olof Johansson <olof@lixom.net> 
Prevent memory scribble by checking that ioctl buffer size parameters
are sane.
Without this check, on 32 bits system, if .insize = 0xffffffff - 20 and
.outsize the amount to scribble, we would overflow, allocate a small
amounts and be able to write outside of the malloc'ed area.
Adding a hard limit allows argument checking of the ioctl. With the
current EC, it is expected .insize and .outsize to be at around 512 bytes
or less.

Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
platform/chrome: Support reading/writing the vboot context 2015-10-07T22:05:53+00:00 Emilio López emilio.lopez@collabora.co.uk 2015-09-21T13:38:22+00:00 18800fc7a04e7df8a345e7ef4fc3064368276f83 Some EC implementations include a small nvram space used to store verified boot context data. This patch offers a way to expose this data to userspace. Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com> Signed-off-by: Emilio López <emilio.lopez@collabora.co.uk> Signed-off-by: Olof Johansson <olof@lixom.net> 
Some EC implementations include a small nvram space used to store
verified boot context data. This patch offers a way to expose this
data to userspace.

Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Emilio López <emilio.lopez@collabora.co.uk>
Signed-off-by: Olof Johansson <olof@lixom.net>
platform/chrome: cros_ec_dev - Add a platform device ID table 2015-10-07T21:34:26+00:00 Javier Martinez Canillas javier.martinez@collabora.co.uk 2015-06-22T06:27:20+00:00 afbf8ec7c4f90ddd3ee8655c591983fb9d399f43 If the cros_ec_dev driver is built as a module, modalias information is not filled so the module is not autoloaded. Add a platform device table and use the MODULE_DEVICE_TABLE() macro to export that information in the module so user-space can match the modalias uevent and autoload it. Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> Signed-off-by: Olof Johansson <olof@lixom.net> 
If the cros_ec_dev driver is built as a module, modalias information is
not filled so the module is not autoloaded. Add a platform device table
and use the MODULE_DEVICE_TABLE() macro to export that information in
the module so user-space can match the modalias uevent and autoload it.

Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Signed-off-by: Olof Johansson <olof@lixom.net>
mfd: cros_ec: Support multiple EC in a system 2015-06-15T12:18:23+00:00 Gwendal Grignou gwendal@chromium.org 2015-06-09T11:04:47+00:00 57b33ff077beebb68481a2b6b8e5fe58ca998169 Chromebooks can have more than one Embedded Controller so the cros_ec device id has to be incremented for each EC registered. Add a new structure to represent multiple EC as different char devices (e.g: /dev/cros_ec, /dev/cros_pd). It connects to cros_ec_device and allows sysfs inferface for cros_pd. Also reduce number of allocated objects, make chromeos sysfs class object a static and add refcounting to prevent object deletion while command is in progress. Signed-off-by: Gwendal Grignou <gwendal@chromium.org> Reviewed-by: Dmitry Torokhov <dtor@chromium.org> Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> Tested-by: Heiko Stuebner <heiko@sntech.de> Acked-by: Lee Jones <lee.jones@linaro.org> Acked-by: Olof Johansson <olof@lixom.net> Signed-off-by: Lee Jones <lee.jones@linaro.org> 
Chromebooks can have more than one Embedded Controller so the
cros_ec device id has to be incremented for each EC registered.

Add a new structure to represent multiple EC as different char
devices (e.g: /dev/cros_ec, /dev/cros_pd). It connects to
cros_ec_device and allows sysfs inferface for cros_pd.

Also reduce number of allocated objects, make chromeos sysfs
class object a static and add refcounting to prevent object
deletion while command is in progress.

Signed-off-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Acked-by: Lee Jones <lee.jones@linaro.org>
Acked-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
mfd: cros_ec: Use a zero-length array for command data 2015-06-15T12:18:19+00:00 Javier Martinez Canillas javier.martinez@collabora.co.uk 2015-06-09T11:04:42+00:00 a841178445bb72a3d566b4e6ab9d19e9b002eb47 Commit 1b84f2a4cd4a ("mfd: cros_ec: Use fixed size arrays to transfer data with the EC") modified the struct cros_ec_command fields to not use pointers for the input and output buffers and use fixed length arrays instead. This change was made because the cros_ec ioctl API uses that struct cros_ec_command to allow user-space to send commands to the EC and to get data from the EC. So using pointers made the API not 64-bit safe. Unfortunately this approach was not flexible enough for all the use-cases since there may be a need to send larger commands on newer versions of the EC command protocol. So to avoid to choose a constant length that it may be too big for most commands and thus wasting memory and CPU cycles on copy from and to user-space or having a size that is too small for some big commands, use a zero-length array that is both 64-bit safe and flexible. The same buffer is used for both output and input data so the maximum of these values should be used to allocate it. Suggested-by: Gwendal Grignou <gwendal@chromium.org> Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> Tested-by: Heiko Stuebner <heiko@sntech.de> Acked-by: Lee Jones <lee.jones@linaro.org> Acked-by: Olof Johansson <olof@lixom.net> Signed-off-by: Lee Jones <lee.jones@linaro.org> 
Commit 1b84f2a4cd4a ("mfd: cros_ec: Use fixed size arrays to transfer
data with the EC") modified the struct cros_ec_command fields to not
use pointers for the input and output buffers and use fixed length
arrays instead.

This change was made because the cros_ec ioctl API uses that struct
cros_ec_command to allow user-space to send commands to the EC and
to get data from the EC. So using pointers made the API not 64-bit
safe. Unfortunately this approach was not flexible enough for all
the use-cases since there may be a need to send larger commands
on newer versions of the EC command protocol.

So to avoid to choose a constant length that it may be too big for
most commands and thus wasting memory and CPU cycles on copy from
and to user-space or having a size that is too small for some big
commands, use a zero-length array that is both 64-bit safe and
flexible. The same buffer is used for both output and input data
so the maximum of these values should be used to allocate it.

Suggested-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Acked-by: Lee Jones <lee.jones@linaro.org>
Acked-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
platform/chrome: cros_ec_dev - fix Unknown escape '%' warning 2015-03-04T19:23:10+00:00 Olof Johansson olofj@chromium.org 2015-03-03T12:22:32+00:00 ef59c25d1be9539890c03c4915cdd4b868191b6f Fix the following sparse warning: drivers/platform/chrome/cros_ec_dev.c:64:45: sparse: Unknown escape '%' Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Olof Johansson <olofj@chromium.org> Reviewed-by: Gwendal Grignou <gwendal@chromium.org> Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> Signed-off-by: Olof Johansson <olof@lixom.net> 
Fix the following sparse warning:

    drivers/platform/chrome/cros_ec_dev.c:64:45: sparse: Unknown escape '%'

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Olof Johansson <olofj@chromium.org>
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Signed-off-by: Olof Johansson <olof@lixom.net>
platform/chrome: Expose Chrome OS Lightbar to users 2015-02-26T23:45:16+00:00 Bill Richardson wfrichar@chromium.org 2015-02-02T11:26:28+00:00 f3f837e52b14bf84c2db65f622b5c31cd261100c This adds some sysfs entries to provide userspace control of the four-element LED "lightbar" on the Chromebook Pixel. This only instantiates the lightbar controls if the device actually exists. To prevent DoS attacks, this interface is limited to 20 accesses/second, although that rate can be adjusted by a privileged user. On Chromebooks without a lightbar, this should have no effect. On the Chromebook Pixel, you should be able to do things like this: $ cd /sys/devices/virtual/chromeos/cros_ec/lightbar $ echo 0x80 > brightness $ echo 255 > brightness $ $ cat sequence S0 $ echo konami > sequence $ cat sequence KONAMI $ $ cat sequence S0 And $ cd /sys/devices/virtual/chromeos/cros_ec/lightbar $ echo stop > sequence $ echo "4 255 255 255" > led_rgb $ echo "0 255 0 0 1 0 255 0 2 0 0 255 3 255 255 0" > led_rgb $ echo run > sequence Test the DoS prevention with this: $ cd /sys/devices/virtual/chromeos/cros_ec/lightbar $ echo 500 > interval_msec $ time (cat version version version version version version version) Signed-off-by: Bill Richardson <wfrichar@chromium.org> Reviewed-by: Olof Johansson <olofj@chromium.org> Tested-by: Doug Anderson <dianders@chromium.org> Reviewed-by: Benson Leung <bleung@chromium.org> Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> Tested-by: Gwendal Grignou <gwendal@chromium.org> Reviewed-by: Gwendal Grignou <gwendal@chromium.org> Signed-off-by: Olof Johansson <olof@lixom.net> 
This adds some sysfs entries to provide userspace control of the
four-element LED "lightbar" on the Chromebook Pixel. This only instantiates
the lightbar controls if the device actually exists.

To prevent DoS attacks, this interface is limited to 20 accesses/second,
although that rate can be adjusted by a privileged user.

On Chromebooks without a lightbar, this should have no effect. On the
Chromebook Pixel, you should be able to do things like this:

    $ cd /sys/devices/virtual/chromeos/cros_ec/lightbar
    $ echo 0x80 > brightness
    $ echo 255 > brightness
    $
    $ cat sequence
    S0
    $ echo konami > sequence
    $ cat sequence
    KONAMI
    $
    $ cat sequence
    S0

And

    $ cd /sys/devices/virtual/chromeos/cros_ec/lightbar
    $ echo stop > sequence
    $ echo "4 255 255 255" > led_rgb
    $ echo "0 255 0 0  1 0 255 0  2 0 0 255  3 255 255 0" > led_rgb
    $ echo run  > sequence

Test the DoS prevention with this:

    $ cd /sys/devices/virtual/chromeos/cros_ec/lightbar
    $ echo 500 > interval_msec
    $ time (cat version version version version version version version)

Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Olof Johansson <olofj@chromium.org>
Tested-by: Doug Anderson <dianders@chromium.org>
Reviewed-by: Benson Leung <bleung@chromium.org>
Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Tested-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
platform/chrome: Create sysfs attributes for the ChromeOS EC 2015-02-26T23:45:12+00:00 Bill Richardson wfrichar@chromium.org 2015-02-02T11:26:27+00:00 71af4b52cc22a8d0f7b66a51427a804741a045b6 This adds the first few sysfs attributes for the Chrome OS EC. These controls are made available under /sys/devices/virtual/chromeos/cros_ec flashinfo - display current flash info reboot - tell the EC to reboot in various ways version - information about the EC software and hardware Future changes will build on this to add additional controls. From a root shell, you should be able to do things like this: cd /sys/devices/virtual/chromeos/cros_ec cat flashinfo cat version echo rw > reboot cat version echo ro > reboot cat version echo rw > reboot cat version echo cold > reboot That last command will reboot the AP too. Signed-off-by: Bill Richardson <wfrichar@chromium.org> Reviewed-by: Olof Johansson <olofj@chromium.org> Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk> Tested-by: Gwendal Grignou <gwendal@chromium.org> Reviewed-by: Gwendal Grignou <gwendal@chromium.org> Signed-off-by: Olof Johansson <olof@lixom.net> 
This adds the first few sysfs attributes for the Chrome OS EC. These
controls are made available under /sys/devices/virtual/chromeos/cros_ec

    flashinfo   - display current flash info
    reboot      - tell the EC to reboot in various ways
    version     - information about the EC software and hardware

Future changes will build on this to add additional controls.

From a root shell, you should be able to do things like this:

    cd /sys/devices/virtual/chromeos/cros_ec
    cat flashinfo
    cat version
    echo rw > reboot
    cat version
    echo ro > reboot
    cat version
    echo rw > reboot
    cat version
    echo cold > reboot

That last command will reboot the AP too.

Signed-off-by: Bill Richardson <wfrichar@chromium.org>
Reviewed-by: Olof Johansson <olofj@chromium.org>
Signed-off-by: Javier Martinez Canillas <javier.martinez@collabora.co.uk>
Tested-by: Gwendal Grignou <gwendal@chromium.org>
Reviewed-by: Gwendal Grignou <gwendal@chromium.org>
Signed-off-by: Olof Johansson <olof@lixom.net>