[haiku-commits] haiku: hrev51821 - in src/add-ons/kernel/drivers/power: acpi_battery acpi_button

  • From: jerome.duval@xxxxxxxxx
  • To: haiku-commits@xxxxxxxxxxxxx
  • Date: Wed, 28 Feb 2018 14:11:41 -0500 (EST)

hrev51821 adds 1 changeset to branch 'master'
old head: 6470e36518942e76ea02d9c7b43eb16c7c2f0ef8
new head: 959fdbd314bc5767f0c0e9e9f0759fe6a71ca7b5
overview: 
http://cgit.haiku-os.org/haiku/log/?qt=range&q=959fdbd314bc+%5E6470e3651894

----------------------------------------------------------------------------

959fdbd314bc: acpi_battery: use user_strlcpy in acpi_battery_read().
  
  * also check for user addresses in acpi_battery_control().

                                   [ Jérôme Duval <jerome.duval@xxxxxxxxx> ]

----------------------------------------------------------------------------

Revision:    hrev51821
Commit:      959fdbd314bc5767f0c0e9e9f0759fe6a71ca7b5
URL:         http://cgit.haiku-os.org/haiku/commit/?id=959fdbd314bc
Author:      Jérôme Duval <jerome.duval@xxxxxxxxx>
Date:        Wed Feb 28 18:59:15 2018 UTC

----------------------------------------------------------------------------

3 files changed, 34 insertions(+), 15 deletions(-)
.../kernel/drivers/power/acpi_battery/Jamfile    |  2 +-
.../drivers/power/acpi_battery/acpi_battery.cpp  | 45 ++++++++++++++------
.../drivers/power/acpi_button/acpi_button.cpp    |  2 +-

----------------------------------------------------------------------------

diff --git a/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile 
b/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile
index dce8e983b6..ae692be826 100644
--- a/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile
+++ b/src/add-ons/kernel/drivers/power/acpi_battery/Jamfile
@@ -1,6 +1,6 @@
 SubDir HAIKU_TOP src add-ons kernel drivers power acpi_battery ;
 
-UsePrivateHeaders kernel ;
+UsePrivateKernelHeaders ;
 
 KernelAddon acpi_battery :
        acpi_battery.cpp
diff --git a/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp 
b/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp
index 9d776fa043..83f8fc371f 100644
--- a/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp
+++ b/src/add-ons/kernel/drivers/power/acpi_battery/acpi_battery.cpp
@@ -17,6 +17,8 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include <kernel.h>
+
 #include "device/power_managment.h"
 
 
@@ -321,43 +323,46 @@ acpi_battery_read(void* _cookie, off_t position, void 
*buffer, size_t* numBytes)
        ReadBatteryInfo(device->driver_cookie, &batteryInfo);
 
        if (position == 0) {
-               size_t max_len = *numBytes;
-               char *str = (char *)buffer;
-
+               char string[512];
+               char *str = string;
+               size_t max_len = sizeof(string);
                snprintf(str, max_len, "Battery Status:\n");
-               max_len-= strlen(str);
+               max_len -= strlen(str);
                str += strlen(str);
 
                snprintf(str, max_len, " State %i, Current Rate %i, Capacity 
%i, "
                        "Voltage %i\n", batteryStatus.state, 
batteryStatus.current_rate,
                        batteryStatus.capacity, batteryStatus.voltage);
-               max_len-= strlen(str);
+               max_len -= strlen(str);
                str += strlen(str);
 
                snprintf(str, max_len, "\nBattery Info:\n");
-               max_len-= strlen(str);
+               max_len -= strlen(str);
                str += strlen(str);
 
                snprintf(str, max_len, " Power Unit %i, Design Capacity %i, "
                        "Last Full Charge %i, Technology %i\n", 
batteryInfo.power_unit,
                        batteryInfo.design_capacity, 
batteryInfo.last_full_charge,
                        batteryInfo.technology);
-               max_len-= strlen(str);
+               max_len -= strlen(str);
                str += strlen(str);
                snprintf(str, max_len, " Design Voltage %i, Design Capacity 
Warning %i, "
                        "Design Capacity Low %i, Capacity Granularity1 %i, "
                        "Capacity Granularity1 %i\n", 
batteryInfo.design_voltage,
                        batteryInfo.design_capacity_warning, 
batteryInfo.design_capacity_low,
                        batteryInfo.capacity_granularity_1, 
batteryInfo.capacity_granularity_1);
-               max_len-= strlen(str);
+               max_len -= strlen(str);
                str += strlen(str);
                snprintf(str, max_len, " Model Number %s, Serial Number %s, "
                        "Type %s, OEM Info %s\n", batteryInfo.model_number,
                        batteryInfo.serial_number, batteryInfo.type, 
batteryInfo.oem_info);
-               max_len-= strlen(str);
+               max_len -= strlen(str);
                str += strlen(str);
 
-               *numBytes = strlen((char *)buffer);
+               max_len = user_strlcpy((char*)buffer, string, *numBytes);
+               if (max_len < B_OK)
+                       return B_BAD_ADDRESS;
+               *numBytes = max_len;
        } else
                *numBytes = 0;
 
@@ -384,7 +389,11 @@ acpi_battery_control(void* _cookie, uint32 op, void* arg, 
size_t len)
                                return B_BAD_VALUE;
 
                        uint32 magicId = kMagicACPIBatteryID;
-                       return user_memcpy(arg, &magicId, sizeof(magicId));
+                       if (!IS_USER_ADDRESS(arg)
+                               || user_memcpy(arg, &magicId, sizeof(magicId)) 
< B_OK) {
+                               return B_BAD_ADDRESS;
+                       }
+                       return B_OK;
                }
 
                case GET_BATTERY_INFO: {
@@ -395,7 +404,12 @@ acpi_battery_control(void* _cookie, uint32 op, void* arg, 
size_t len)
                        err = ReadBatteryStatus(device->driver_cookie, 
&batteryInfo);
                        if (err != B_OK)
                                return err;
-                       return user_memcpy(arg, &batteryInfo, 
sizeof(batteryInfo));
+                       if (!IS_USER_ADDRESS(arg)
+                               || user_memcpy(arg, &batteryInfo, 
sizeof(batteryInfo))
+                                       < B_OK) {
+                               return B_BAD_ADDRESS;
+                       }
+                       return B_OK;
                }
 
                case GET_EXTENDED_BATTERY_INFO: {
@@ -406,7 +420,12 @@ acpi_battery_control(void* _cookie, uint32 op, void* arg, 
size_t len)
                        err = ReadBatteryInfo(device->driver_cookie, 
&extBatteryInfo);
                        if (err != B_OK)
                                return err;
-                       return user_memcpy(arg, &extBatteryInfo, 
sizeof(extBatteryInfo));
+                       if (!IS_USER_ADDRESS(arg)
+                               || user_memcpy(arg, &extBatteryInfo, 
sizeof(extBatteryInfo))
+                                       < B_OK) {
+                               return B_BAD_ADDRESS;
+                       }
+                       return B_OK;
                }
 
                case WATCH_BATTERY:
diff --git a/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp 
b/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp
index 56830918a5..6f30e605fc 100644
--- a/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp
+++ b/src/add-ons/kernel/drivers/power/acpi_button/acpi_button.cpp
@@ -210,7 +210,7 @@ acpi_button_select(void *_cookie, uint8 event, selectsync 
*sync)
        status_t error = add_select_sync_pool_entry(&device->select_pool, sync,
                event);
        if (error != B_OK) {
-               ERROR("add_select_sync_pool_entry() failed: %" B_PRId32 "\n", 
error);
+               ERROR("add_select_sync_pool_entry() failed: %" B_PRIx32 "\n", 
error);
                return error;
        }
 


Other related posts:

  • » [haiku-commits] haiku: hrev51821 - in src/add-ons/kernel/drivers/power: acpi_battery acpi_button - jerome . duval