platform/x86: intel_pmc_core: Uninitialized data in pmc_core_lpm_latch_mode_write()

The simple_write_to_buffer() can return success if even a single byte
is copied from user space.  In this case it can result in using
uninitalized data if the buf[] array is not fully initialized.  Really
we should only succeed if the whole buffer is copied.

Just using copy_from_user() is simpler and more appropriate.

Fixes: 8074a79fad2e ("platform/x86: intel_pmc_core: Add option to set/clear LPM mode")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YIBCf+G9Ef8wrGJw@mwanda
Signed-off-by: Hans de Goede <hdegoede@redhat.com>

1 files changed, 2 insertions, 6 deletions

diff --git a/drivers/platform/x86/intel_pmc_core.c b/drivers/platform/x86/intel_pmc_core.c
index d174aeb492e0..b0e486a6bdfb 100644
--- a/drivers/platform/x86/intel_pmc_core.c
+++ b/drivers/platform/x86/intel_pmc_core.c
@@ -1360,17 +1360,13 @@ static ssize_t pmc_core_lpm_latch_mode_write(struct file *file,
 	struct pmc_dev *pmcdev = s->private;
 	bool clear = false, c10 = false;
 	unsigned char buf[8];
-	ssize_t ret;
 	int idx, m, mode;
 	u32 reg;
 
 	if (count > sizeof(buf) - 1)
 		return -EINVAL;
-
-	ret = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, userbuf, count);
-	if (ret < 0)
-		return ret;
-
+	if (copy_from_user(buf, userbuf, count))
+		return -EFAULT;
 	buf[count] = '\0';
 
 	/*