lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 19 Jun 2014 21:52:15 -0000
From:	dsneddon@...eaurora.org
To:	linux-spi@...r.kernel.org
Cc:	broonie@...nel.org, linux-kernel@...r.kernel.org,
	linux-arm-msm@...r.kernel.org
Subject: [PATCH] spi: spidev: Fix user-space memory access.

When the spidev module tries to access the user space memory passed in via
an IOCTL the compat_ptr function should be called to ensure
compatibility between kernel space and user space.

Signed-off-by: Dan Sneddon <dsneddon@...eaurora.org>
---
 drivers/spi/spidev.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/spi/spidev.c b/drivers/spi/spidev.c
index e3bc23b..3a45158 100644
--- a/drivers/spi/spidev.c
+++ b/drivers/spi/spidev.c
@@ -252,14 +252,16 @@ static int spidev_message(struct spidev_data *spidev,
                if (u_tmp->rx_buf) {
                        k_tmp->rx_buf = buf;
                        if (!access_ok(VERIFY_WRITE, (u8 __user *)
-                                               (uintptr_t) u_tmp->rx_buf,
+                                               (uintptr_t)compat_ptr( +  
                                                    u_tmp->rx_buf),
                                                u_tmp->len))
                                goto done;
                }
                if (u_tmp->tx_buf) {
                        k_tmp->tx_buf = buf;
                        if (copy_from_user(buf, (const u8 __user *)
-                                               (uintptr_t) u_tmp->tx_buf,
+                                               (uintptr_t)compat_ptr( +  
                                                    u_tmp->tx_buf),
                                        u_tmp->len))
                                goto done;
                }
@@ -294,8 +296,8 @@ static int spidev_message(struct spidev_data *spidev,
        for (n = n_xfers, u_tmp = u_xfers; n; n--, u_tmp++) {
                if (u_tmp->rx_buf) {
                        if (__copy_to_user((u8 __user *)
-                                       (uintptr_t) u_tmp->rx_buf, buf, - 
                                     u_tmp->len)) {
+
(uintptr_t)compat_ptr(u_tmp->rx_buf),
+                                       buf, u_tmp->len)) {
                                status = -EFAULT;
                                goto done;
                        }
--
1.8.4






---
sent by an employee of the Qualcomm Innovation Center, Inc.
The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum,
hosted by The Linux Foundation

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ