lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 19 Jun 2014 21:52:15 -0000
Subject: [PATCH] spi: spidev: Fix user-space memory access.

When the spidev module tries to access the user space memory passed in via
an IOCTL the compat_ptr function should be called to ensure
compatibility between kernel space and user space.

Signed-off-by: Dan Sneddon <>
 drivers/spi/spidev.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index e3bc23b..3a45158 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data *spidev,
                if (u_tmp->rx_buf) {
                        k_tmp->rx_buf = buf;
                        if (!access_ok(VERIFY_WRITE, (u8 __user *)
-                                               (uintptr_t) u_tmp->rx_buf,
+                                               (uintptr_t)compat_ptr( +  
                                goto done;
                if (u_tmp->tx_buf) {
                        k_tmp->tx_buf = buf;
                        if (copy_from_user(buf, (const u8 __user *)
-                                               (uintptr_t) u_tmp->tx_buf,
+                                               (uintptr_t)compat_ptr( +  
                                goto done;
@@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev,
        for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
                if (u_tmp->rx_buf) {
                        if (__copy_to_user((u8 __user *)
-                                       (uintptr_t) u_tmp->rx_buf, buf, - 
                                     u_tmp->len)) {
+                                       buf, u_tmp->len)) {
                                status = -EFAULT;
                                goto done;

sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists