diff options
| author | Dongxiao Xu <dongxiao.xu@intel.com> | 2009-05-31 02:43:35 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-06-19 14:00:54 -0400 |
| commit | 36e844671cbdace27f0462a46cedde0a4d6b1001 (patch) | |
| tree | 84f52daeb2f564f961ff0b3528e05355f1000850 /drivers/staging | |
| parent | 7a80bfcd1f4bac61d586d3551f74215ff02e9cba (diff) | |
Staging: heci: fix userspace pointer mess
Fix userspace pointer mess.
- In memcmp(), dest and src pointer should be both in kernel space.
- Add (void __user *) modification before userspace pointer.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'drivers/staging')
| -rw-r--r-- | drivers/staging/heci/heci_main.c | 9 | ||||
| -rw-r--r-- | drivers/staging/heci/io_heci.c | 15 |
2 files changed, 15 insertions, 9 deletions
diff --git a/drivers/staging/heci/heci_main.c b/drivers/staging/heci/heci_main.c index 00e44c781428..daf1107cb8e0 100644 --- a/drivers/staging/heci/heci_main.c +++ b/drivers/staging/heci/heci_main.c | |||
| @@ -1140,9 +1140,12 @@ static ssize_t heci_write(struct file *file, const char __user *ubuf, | |||
| 1140 | spin_lock(&file_ext->file_lock); | 1140 | spin_lock(&file_ext->file_lock); |
| 1141 | file_ext->sm_state = 0; | 1141 | file_ext->sm_state = 0; |
| 1142 | if ((length == 4) && | 1142 | if ((length == 4) && |
| 1143 | ((memcmp(heci_wd_state_independence_msg[0], ubuf, 4) == 0) || | 1143 | ((memcmp(heci_wd_state_independence_msg[0], |
| 1144 | (memcmp(heci_wd_state_independence_msg[1], ubuf, 4) == 0) || | 1144 | priv_write_cb->request_buffer.data, 4) == 0) || |
| 1145 | (memcmp(heci_wd_state_independence_msg[2], ubuf, 4) == 0))) | 1145 | (memcmp(heci_wd_state_independence_msg[1], |
| 1146 | priv_write_cb->request_buffer.data, 4) == 0) || | ||
| 1147 | (memcmp(heci_wd_state_independence_msg[2], | ||
| 1148 | priv_write_cb->request_buffer.data, 4) == 0))) | ||
| 1146 | file_ext->sm_state |= HECI_WD_STATE_INDEPENDENCE_MSG_SENT; | 1149 | file_ext->sm_state |= HECI_WD_STATE_INDEPENDENCE_MSG_SENT; |
| 1147 | spin_unlock(&file_ext->file_lock); | 1150 | spin_unlock(&file_ext->file_lock); |
| 1148 | 1151 | ||
diff --git a/drivers/staging/heci/io_heci.c b/drivers/staging/heci/io_heci.c index f7544a7bbbe0..619eeed87ea2 100644 --- a/drivers/staging/heci/io_heci.c +++ b/drivers/staging/heci/io_heci.c | |||
| @@ -111,7 +111,7 @@ int heci_ioctl_get_version(struct iamt_heci_device *dev, int if_num, | |||
| 111 | 111 | ||
| 112 | rets = file_ext->status; | 112 | rets = file_ext->status; |
| 113 | /* now copy the data to user space */ | 113 | /* now copy the data to user space */ |
| 114 | if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { | 114 | if (copy_to_user((void __user *)k_msg.data, res_msg.data, res_msg.size)) { |
| 115 | rets = -EFAULT; | 115 | rets = -EFAULT; |
| 116 | goto end; | 116 | goto end; |
| 117 | } | 117 | } |
| @@ -188,7 +188,7 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, | |||
| 188 | /* copy the message to kernel space - | 188 | /* copy the message to kernel space - |
| 189 | * use a pointer already copied into kernel space | 189 | * use a pointer already copied into kernel space |
| 190 | */ | 190 | */ |
| 191 | if (copy_from_user(req_msg.data, k_msg.data, k_msg.size)) { | 191 | if (copy_from_user(req_msg.data, (void __user *)k_msg.data, k_msg.size)) { |
| 192 | rets = -EFAULT; | 192 | rets = -EFAULT; |
| 193 | goto end; | 193 | goto end; |
| 194 | } | 194 | } |
| @@ -266,7 +266,8 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, | |||
| 266 | spin_unlock_bh(&dev->device_lock); | 266 | spin_unlock_bh(&dev->device_lock); |
| 267 | 267 | ||
| 268 | /* now copy the data to user space */ | 268 | /* now copy the data to user space */ |
| 269 | if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { | 269 | if (copy_to_user((void __user *)k_msg.data, |
| 270 | res_msg.data, res_msg.size)) { | ||
| 270 | rets = -EFAULT; | 271 | rets = -EFAULT; |
| 271 | goto end; | 272 | goto end; |
| 272 | } | 273 | } |
| @@ -320,7 +321,8 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, | |||
| 320 | DBG("successfully connected to FW client.\n"); | 321 | DBG("successfully connected to FW client.\n"); |
| 321 | rets = file_ext->status; | 322 | rets = file_ext->status; |
| 322 | /* now copy the data to user space */ | 323 | /* now copy the data to user space */ |
| 323 | if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { | 324 | if (copy_to_user((void __user *)k_msg.data, |
| 325 | res_msg.data, res_msg.size)) { | ||
| 324 | rets = -EFAULT; | 326 | rets = -EFAULT; |
| 325 | goto end; | 327 | goto end; |
| 326 | } | 328 | } |
| @@ -394,7 +396,8 @@ int heci_ioctl_wd(struct iamt_heci_device *dev, int if_num, | |||
| 394 | /* copy the message to kernel space - use a pointer already | 396 | /* copy the message to kernel space - use a pointer already |
| 395 | * copied into kernel space | 397 | * copied into kernel space |
| 396 | */ | 398 | */ |
| 397 | if (copy_from_user(req_msg.data, k_msg.data, req_msg.size)) { | 399 | if (copy_from_user(req_msg.data, |
| 400 | (void __user *)k_msg.data, req_msg.size)) { | ||
| 398 | rets = -EFAULT; | 401 | rets = -EFAULT; |
| 399 | goto end; | 402 | goto end; |
| 400 | } | 403 | } |
| @@ -464,7 +467,7 @@ int heci_ioctl_bypass_wd(struct iamt_heci_device *dev, int if_num, | |||
| 464 | return -EMSGSIZE; | 467 | return -EMSGSIZE; |
| 465 | } | 468 | } |
| 466 | spin_unlock(&file_ext->file_lock); | 469 | spin_unlock(&file_ext->file_lock); |
| 467 | if (copy_from_user(&flag, k_msg.data, 1)) { | 470 | if (copy_from_user(&flag, (void __user *)k_msg.data, 1)) { |
| 468 | rets = -EFAULT; | 471 | rets = -EFAULT; |
| 469 | goto end; | 472 | goto end; |
| 470 | } | 473 | } |