aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Buesch <mb@bu3sch.de>2009-07-29 05:39:03 -0400
committerGreg Kroah-Hartman <gregkh@suse.de>2009-08-07 19:05:12 -0400
commit18753ebc8a98efe0e8ff6167afb31cef220c8e50 (patch)
tree7c2d95b3758acf4cf3b42aec04d284ae67de1647
parent49276560c9004fce24c42e3c0ad75f34d956fc63 (diff)
USB: devio: Properly do access_ok() checks
access_ok() checks must be done on every part of the userspace structure that is accessed. If access_ok() on one part of the struct succeeded, it does not imply it will succeed on other parts of the struct. (Does depend on the architecture implementation of access_ok()). This changes the __get_user() users to first check access_ok() on the data structure. Signed-off-by: Michael Buesch <mb@bu3sch.de> Cc: stable <stable@kernel.org> Cc: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--drivers/usb/core/devio.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
index 38b8bce782d6..e192fa05f8a1 100644
--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -1321,7 +1321,8 @@ static int get_urb32(struct usbdevfs_urb *kurb,
1321 struct usbdevfs_urb32 __user *uurb) 1321 struct usbdevfs_urb32 __user *uurb)
1322{ 1322{
1323 __u32 uptr; 1323 __u32 uptr;
1324 if (get_user(kurb->type, &uurb->type) || 1324 if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) ||
1325 __get_user(kurb->type, &uurb->type) ||
1325 __get_user(kurb->endpoint, &uurb->endpoint) || 1326 __get_user(kurb->endpoint, &uurb->endpoint) ||
1326 __get_user(kurb->status, &uurb->status) || 1327 __get_user(kurb->status, &uurb->status) ||
1327 __get_user(kurb->flags, &uurb->flags) || 1328 __get_user(kurb->flags, &uurb->flags) ||
@@ -1536,8 +1537,9 @@ static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg)
1536 u32 udata; 1537 u32 udata;
1537 1538
1538 uioc = compat_ptr((long)arg); 1539 uioc = compat_ptr((long)arg);
1539 if (get_user(ctrl.ifno, &uioc->ifno) || 1540 if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) ||
1540 get_user(ctrl.ioctl_code, &uioc->ioctl_code) || 1541 __get_user(ctrl.ifno, &uioc->ifno) ||
1542 __get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
1541 __get_user(udata, &uioc->data)) 1543 __get_user(udata, &uioc->data))
1542 return -EFAULT; 1544 return -EFAULT;
1543 ctrl.data = compat_ptr(udata); 1545 ctrl.data = compat_ptr(udata);