hrev51821 adds 1 changeset to branch 'master'
old head: 6470e36518942e76ea02d9c7b43eb16c7c2f0ef8
new head: 959fdbd314bc5767f0c0e9e9f0759fe6a71ca7b5
overview:
http://cgit.haiku-os.org/haiku/log/?qt=range&q=959fdbd314bc+%5E6470e3651894
----------------------------------------------------------------------------
959fdbd314bc: acpi_battery: use user_strlcpy in acpi_battery_read().
* also check for user addresses in acpi_battery_control().
[ Jérôme Duval <jerome.duval@xxxxxxxxx> ]
----------------------------------------------------------------------------
Revision: hrev51821
Commit: 959fdbd314bc5767f0c0e9e9f0759fe6a71ca7b5
URL: http://cgit.haiku-os.org/haiku/commit/?id=959fdbd314bc
Author: Jérôme Duval <jerome.duval@xxxxxxxxx>
Date: Wed Feb 28 18:59:15 2018 UTC
----------------------------------------------------------------------------
3 files changed, 34 insertions(+), 15 deletions(-)
.../kernel/drivers/power/acpi_battery/Jamfile | 2 +-
.../drivers/power/acpi_battery/acpi_battery.cpp | 45 ++++++++++++++------
.../drivers/power/acpi_button/acpi_button.cpp | 2 +-
----------------------------------------------------------------------------
diff --git a/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile
b/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile
index dce8e983b6..ae692be826 100644
--- a/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile
+++ b/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile
@@ -1,6 +1,6 @@
SubDir HAIKU_TOP src add-ons kernel drivers power acpi_battery ;
-UsePrivateHeaders kernel ;
+UsePrivateKernelHeaders ;
KernelAddon acpi_battery :
acpi_battery.cpp
diff --git a/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp
b/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp
index 9d776fa043..83f8fc371f 100644
--- a/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp
+++ b/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp
@@ -17,6 +17,8 @@
#include <stdlib.h>
#include <string.h>
+#include <kernel.h>
+
#include "device/power_managment.h"
@@ -321,43 +323,46 @@ acpi_battery_read(void* _cookie, off_t position, void
*buffer, size_t* numBytes)
ReadBatteryInfo(device->driver_cookie, &batteryInfo);
if (position == 0) {
- size_t max_len = *numBytes;
- char *str = (char *)buffer;
-
+ char string[512];
+ char *str = string;
+ size_t max_len = sizeof(string);
snprintf(str, max_len, "Battery Status:\n");
- max_len-= strlen(str);
+ max_len -= strlen(str);
str += strlen(str);
snprintf(str, max_len, " State %i, Current Rate %i, Capacity
%i, "
"Voltage %i\n", batteryStatus.state,
batteryStatus.current_rate,
batteryStatus.capacity, batteryStatus.voltage);
- max_len-= strlen(str);
+ max_len -= strlen(str);
str += strlen(str);
snprintf(str, max_len, "\nBattery Info:\n");
- max_len-= strlen(str);
+ max_len -= strlen(str);
str += strlen(str);
snprintf(str, max_len, " Power Unit %i, Design Capacity %i, "
"Last Full Charge %i, Technology %i\n",
batteryInfo.power_unit,
batteryInfo.design_capacity,
batteryInfo.last_full_charge,
batteryInfo.technology);
- max_len-= strlen(str);
+ max_len -= strlen(str);
str += strlen(str);
snprintf(str, max_len, " Design Voltage %i, Design Capacity
Warning %i, "
"Design Capacity Low %i, Capacity Granularity1 %i, "
"Capacity Granularity1 %i\n",
batteryInfo.design_voltage,
batteryInfo.design_capacity_warning,
batteryInfo.design_capacity_low,
batteryInfo.capacity_granularity_1,
batteryInfo.capacity_granularity_1);
- max_len-= strlen(str);
+ max_len -= strlen(str);
str += strlen(str);
snprintf(str, max_len, " Model Number %s, Serial Number %s, "
"Type %s, OEM Info %s\n", batteryInfo.model_number,
batteryInfo.serial_number, batteryInfo.type,
batteryInfo.oem_info);
- max_len-= strlen(str);
+ max_len -= strlen(str);
str += strlen(str);
- *numBytes = strlen((char *)buffer);
+ max_len = user_strlcpy((char*)buffer, string, *numBytes);
+ if (max_len < B_OK)
+ return B_BAD_ADDRESS;
+ *numBytes = max_len;
} else
*numBytes = 0;
@@ -384,7 +389,11 @@ acpi_battery_control(void* _cookie, uint32 op, void* arg,
size_t len)
return B_BAD_VALUE;
uint32 magicId = kMagicACPIBatteryID;
- return user_memcpy(arg, &magicId, sizeof(magicId));
+ if (!IS_USER_ADDRESS(arg)
+ || user_memcpy(arg, &magicId, sizeof(magicId))
< B_OK) {
+ return B_BAD_ADDRESS;
+ }
+ return B_OK;
}
case GET_BATTERY_INFO: {
@@ -395,7 +404,12 @@ acpi_battery_control(void* _cookie, uint32 op, void* arg,
size_t len)
err = ReadBatteryStatus(device->driver_cookie,
&batteryInfo);
if (err != B_OK)
return err;
- return user_memcpy(arg, &batteryInfo,
sizeof(batteryInfo));
+ if (!IS_USER_ADDRESS(arg)
+ || user_memcpy(arg, &batteryInfo,
sizeof(batteryInfo))
+ < B_OK) {
+ return B_BAD_ADDRESS;
+ }
+ return B_OK;
}
case GET_EXTENDED_BATTERY_INFO: {
@@ -406,7 +420,12 @@ acpi_battery_control(void* _cookie, uint32 op, void* arg,
size_t len)
err = ReadBatteryInfo(device->driver_cookie,
&extBatteryInfo);
if (err != B_OK)
return err;
- return user_memcpy(arg, &extBatteryInfo,
sizeof(extBatteryInfo));
+ if (!IS_USER_ADDRESS(arg)
+ || user_memcpy(arg, &extBatteryInfo,
sizeof(extBatteryInfo))
+ < B_OK) {
+ return B_BAD_ADDRESS;
+ }
+ return B_OK;
}
case WATCH_BATTERY:
diff --git a/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp
b/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp
index 56830918a5..6f30e605fc 100644
--- a/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp
+++ b/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp
@@ -210,7 +210,7 @@ acpi_button_select(void *_cookie, uint8 event, selectsync
*sync)
status_t error = add_select_sync_pool_entry(&device->select_pool, sync,
event);
if (error != B_OK) {
- ERROR("add_select_sync_pool_entry() failed: %" B_PRId32 "\n",
error);
+ ERROR("add_select_sync_pool_entry() failed: %" B_PRIx32 "\n",
error);
return error;
}