diff options
| author | vibi sreenivasan <vibi_sreenivasan@cms.com> | 2009-06-04 11:29:17 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-06-19 14:00:54 -0400 |
| commit | 7a80bfcd1f4bac61d586d3551f74215ff02e9cba (patch) | |
| tree | 3afb5bda553dd061a612384ab3c6ea7bae471b27 | |
| parent | 8d2db5169d103d03646e7b7e93798739b2290d22 (diff) | |
Staging: rspiusb: copy_to/from_user related fixes
The patch does copy_to/from_user related fixes
*) __copy_from/to_user is enough for user space data buffer checked by access_ok.
*) return -EFAULT if __copy_from/to_user fails.
*) Do not use memcpy to copy from user space.
Signed-off-by: Vibi Sreenivasan <vibi_sreenivasan@cms.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
| -rw-r--r-- | drivers/staging/rspiusb/rspiusb.c | 44 |
1 files changed, 30 insertions, 14 deletions
diff --git a/drivers/staging/rspiusb/rspiusb.c b/drivers/staging/rspiusb/rspiusb.c index ebdbe41fbcc3..1cdfe69585ea 100644 --- a/drivers/staging/rspiusb/rspiusb.c +++ b/drivers/staging/rspiusb/rspiusb.c | |||
| @@ -217,8 +217,10 @@ static int pixis_io(struct ioctl_struct *ctrl, struct device_extension *pdx, | |||
| 217 | dbg("numbytes to read = %d", numbytes); | 217 | dbg("numbytes to read = %d", numbytes); |
| 218 | dbg("endpoint # %d", ctrl->endpoint); | 218 | dbg("endpoint # %d", ctrl->endpoint); |
| 219 | 219 | ||
| 220 | if (copy_from_user(uBuf, ctrl->pData, numbytes)) | 220 | if (copy_from_user(uBuf, ctrl->pData, numbytes)) { |
| 221 | dbg("copying ctrl->pData to dummyBuf failed"); | 221 | dbg("copying ctrl->pData to dummyBuf failed"); |
| 222 | return -EFAULT; | ||
| 223 | } | ||
| 222 | 224 | ||
| 223 | do { | 225 | do { |
| 224 | i = usb_bulk_msg(pdx->udev, pdx->hEP[ctrl->endpoint], | 226 | i = usb_bulk_msg(pdx->udev, pdx->hEP[ctrl->endpoint], |
| @@ -304,9 +306,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, | |||
| 304 | } | 306 | } |
| 305 | switch (cmd) { | 307 | switch (cmd) { |
| 306 | case PIUSB_GETVNDCMD: | 308 | case PIUSB_GETVNDCMD: |
| 307 | if (copy_from_user | 309 | if (__copy_from_user |
| 308 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) | 310 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) { |
| 309 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); | 311 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); |
| 312 | return -EFAULT; | ||
| 313 | } | ||
| 310 | dbg("%s %x\n", "Get Vendor Command = ", ctrl.cmd); | 314 | dbg("%s %x\n", "Get Vendor Command = ", ctrl.cmd); |
| 311 | retval = | 315 | retval = |
| 312 | usb_control_msg(pdx->udev, usb_rcvctrlpipe(pdx->udev, 0), | 316 | usb_control_msg(pdx->udev, usb_rcvctrlpipe(pdx->udev, 0), |
| @@ -321,9 +325,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, | |||
| 321 | return retval; | 325 | return retval; |
| 322 | 326 | ||
| 323 | case PIUSB_SETVNDCMD: | 327 | case PIUSB_SETVNDCMD: |
| 324 | if (copy_from_user | 328 | if (__copy_from_user |
| 325 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) | 329 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) { |
| 326 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); | 330 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); |
| 331 | return -EFAULT; | ||
| 332 | } | ||
| 327 | /* dbg( "%s %x", "Set Vendor Command = ",ctrl.cmd ); */ | 333 | /* dbg( "%s %x", "Set Vendor Command = ",ctrl.cmd ); */ |
| 328 | controlData = ctrl.pData[0]; | 334 | controlData = ctrl.pData[0]; |
| 329 | controlData |= (ctrl.pData[1] << 8); | 335 | controlData |= (ctrl.pData[1] << 8); |
| @@ -341,9 +347,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, | |||
| 341 | return ((pdx->udev->speed == USB_SPEED_HIGH) ? 1 : 0); | 347 | return ((pdx->udev->speed == USB_SPEED_HIGH) ? 1 : 0); |
| 342 | 348 | ||
| 343 | case PIUSB_WRITEPIPE: | 349 | case PIUSB_WRITEPIPE: |
| 344 | if (copy_from_user(&ctrl, (void __user *)arg, _IOC_SIZE(cmd))) | 350 | if (__copy_from_user(&ctrl, (void __user *)arg, _IOC_SIZE(cmd))) { |
| 345 | dev_err(&pdx->udev->dev, | 351 | dev_err(&pdx->udev->dev, |
| 346 | "copy_from_user WRITE_DUMMY failed\n"); | 352 | "copy_from_user WRITE_DUMMY failed\n"); |
| 353 | return -EFAULT; | ||
| 354 | } | ||
| 347 | if (!access_ok(VERIFY_READ, ctrl.pData, ctrl.numbytes)) { | 355 | if (!access_ok(VERIFY_READ, ctrl.pData, ctrl.numbytes)) { |
| 348 | dbg("can't access pData"); | 356 | dbg("can't access pData"); |
| 349 | return 0; | 357 | return 0; |
| @@ -352,9 +360,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, | |||
| 352 | return ctrl.numbytes; | 360 | return ctrl.numbytes; |
| 353 | 361 | ||
| 354 | case PIUSB_USERBUFFER: | 362 | case PIUSB_USERBUFFER: |
| 355 | if (copy_from_user | 363 | if (__copy_from_user |
| 356 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) | 364 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) { |
| 357 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); | 365 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); |
| 366 | return -EFAULT; | ||
| 367 | } | ||
| 358 | return MapUserBuffer((struct ioctl_struct *) &ctrl, pdx); | 368 | return MapUserBuffer((struct ioctl_struct *) &ctrl, pdx); |
| 359 | 369 | ||
| 360 | case PIUSB_UNMAP_USERBUFFER: | 370 | case PIUSB_UNMAP_USERBUFFER: |
| @@ -362,10 +372,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, | |||
| 362 | return retval; | 372 | return retval; |
| 363 | 373 | ||
| 364 | case PIUSB_READPIPE: | 374 | case PIUSB_READPIPE: |
| 365 | if (copy_from_user(&ctrl, (void __user *)arg, | 375 | if (__copy_from_user(&ctrl, (void __user *)arg, |
| 366 | sizeof(struct ioctl_struct))) | 376 | sizeof(struct ioctl_struct))) { |
| 367 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); | 377 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); |
| 368 | 378 | return -EFAULT; | |
| 379 | } | ||
| 369 | if (((0 == ctrl.endpoint) && (PIXIS_PID == pdx->iama)) || | 380 | if (((0 == ctrl.endpoint) && (PIXIS_PID == pdx->iama)) || |
| 370 | (1 == ctrl.endpoint) || /* ST133IO */ | 381 | (1 == ctrl.endpoint) || /* ST133IO */ |
| 371 | (4 == ctrl.endpoint)) /* PIXIS IO */ | 382 | (4 == ctrl.endpoint)) /* PIXIS IO */ |
| @@ -383,9 +394,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, | |||
| 383 | 394 | ||
| 384 | case PIUSB_SETFRAMESIZE: | 395 | case PIUSB_SETFRAMESIZE: |
| 385 | dbg("PIUSB_SETFRAMESIZE"); | 396 | dbg("PIUSB_SETFRAMESIZE"); |
| 386 | if (copy_from_user | 397 | if (__copy_from_user |
| 387 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) | 398 | (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) { |
| 388 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); | 399 | dev_err(&pdx->udev->dev, "copy_from_user failed\n"); |
| 400 | return -EFAULT; | ||
| 401 | } | ||
| 389 | pdx->frameSize = ctrl.numbytes; | 402 | pdx->frameSize = ctrl.numbytes; |
| 390 | pdx->num_frames = ctrl.numFrames; | 403 | pdx->num_frames = ctrl.numFrames; |
| 391 | if (!pdx->sgl) | 404 | if (!pdx->sgl) |
| @@ -451,7 +464,10 @@ int piusb_output(struct ioctl_struct *io, unsigned char *uBuf, int len, | |||
| 451 | dev_err(&pdx->udev->dev, "buffer_alloc failed\n"); | 464 | dev_err(&pdx->udev->dev, "buffer_alloc failed\n"); |
| 452 | return -ENOMEM; | 465 | return -ENOMEM; |
| 453 | } | 466 | } |
| 454 | memcpy(kbuf, uBuf, len); | 467 | if(__copy_from_user(kbuf, uBuf, len)) { |
| 468 | dev_err(&pdx->udev->dev, "__copy_from_user failed\n"); | ||
| 469 | return -EFAULT; | ||
| 470 | } | ||
| 455 | usb_fill_bulk_urb(urb, pdx->udev, pdx->hEP[io->endpoint], kbuf, | 471 | usb_fill_bulk_urb(urb, pdx->udev, pdx->hEP[io->endpoint], kbuf, |
| 456 | len, piusb_write_bulk_callback, pdx); | 472 | len, piusb_write_bulk_callback, pdx); |
| 457 | urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; | 473 | urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; |