diff options
author | Michael Buesch <mb@bu3sch.de> | 2009-07-29 05:39:03 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-08-07 19:05:12 -0400 |
commit | 18753ebc8a98efe0e8ff6167afb31cef220c8e50 (patch) | |
tree | 7c2d95b3758acf4cf3b42aec04d284ae67de1647 | |
parent | 49276560c9004fce24c42e3c0ad75f34d956fc63 (diff) |
USB: devio: Properly do access_ok() checks
access_ok() checks must be done on every part of the userspace structure
that is accessed. If access_ok() on one part of the struct succeeded, it
does not imply it will succeed on other parts of the struct. (Does
depend on the architecture implementation of access_ok()).
This changes the __get_user() users to first check access_ok() on the
data structure.
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Cc: stable <stable@kernel.org>
Cc: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/usb/core/devio.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index 38b8bce782d6..e192fa05f8a1 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c | |||
@@ -1321,7 +1321,8 @@ static int get_urb32(struct usbdevfs_urb *kurb, | |||
1321 | struct usbdevfs_urb32 __user *uurb) | 1321 | struct usbdevfs_urb32 __user *uurb) |
1322 | { | 1322 | { |
1323 | __u32 uptr; | 1323 | __u32 uptr; |
1324 | if (get_user(kurb->type, &uurb->type) || | 1324 | if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) || |
1325 | __get_user(kurb->type, &uurb->type) || | ||
1325 | __get_user(kurb->endpoint, &uurb->endpoint) || | 1326 | __get_user(kurb->endpoint, &uurb->endpoint) || |
1326 | __get_user(kurb->status, &uurb->status) || | 1327 | __get_user(kurb->status, &uurb->status) || |
1327 | __get_user(kurb->flags, &uurb->flags) || | 1328 | __get_user(kurb->flags, &uurb->flags) || |
@@ -1536,8 +1537,9 @@ static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg) | |||
1536 | u32 udata; | 1537 | u32 udata; |
1537 | 1538 | ||
1538 | uioc = compat_ptr((long)arg); | 1539 | uioc = compat_ptr((long)arg); |
1539 | if (get_user(ctrl.ifno, &uioc->ifno) || | 1540 | if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) || |
1540 | get_user(ctrl.ioctl_code, &uioc->ioctl_code) || | 1541 | __get_user(ctrl.ifno, &uioc->ifno) || |
1542 | __get_user(ctrl.ioctl_code, &uioc->ioctl_code) || | ||
1541 | __get_user(udata, &uioc->data)) | 1543 | __get_user(udata, &uioc->data)) |
1542 | return -EFAULT; | 1544 | return -EFAULT; |
1543 | ctrl.data = compat_ptr(udata); | 1545 | ctrl.data = compat_ptr(udata); |