| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1454505940-18094-9-git-send-email-gustavo@padovan.org>
Date: Wed, 3 Feb 2016 11:25:37 -0200
From: Gustavo Padovan <gustavo@...ovan.org>
To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Cc: linux-kernel@...r.kernel.org, devel@...verdev.osuosl.org,
dri-devel@...ts.freedesktop.org,
Daniel Stone <daniels@...labora.com>,
Arve Hjønnevåg <arve@...roid.com>,
Riley Andrews <riandrews@...roid.com>,
Daniel Vetter <daniel.vetter@...ll.ch>,
Rob Clark <robdclark@...il.com>,
Greg Hackmann <ghackmann@...gle.com>,
John Harrison <John.C.Harrison@...el.com>,
Maarten Lankhorst <maarten.lankhorst@...ux.intel.com>,
Gustavo Padovan <gustavo.padovan@...labora.co.uk>
Subject: [PATCH v3 08/11] staging/android: make info->len return only size of sync_fence_info array
From: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
The len member of struct sync_file_info was returning the size of the whole
buffer (struct sync_file_info + sync_fence_infos at the of it). This commit
change it to return only the size of the array of sync_fence_infos.
It also moves len to be right before the sync_fences_info field.
v2: fix check for name field (Maarten)
Signed-off-by: Gustavo Padovan <gustavo.padovan@...labora.co.uk>
---
drivers/staging/android/sync.c | 17 ++++++++++++-----
drivers/staging/android/uapi/sync.h | 7 +++----
2 files changed, 15 insertions(+), 9 deletions(-)
diff --git a/drivers/staging/android/sync.c b/drivers/staging/android/sync.c
index e301b55..d6cf89f 100644
--- a/drivers/staging/android/sync.c
+++ b/drivers/staging/android/sync.c
@@ -502,14 +502,20 @@ static int sync_fill_fence_info(struct fence *fence, void *data, int size)
static long sync_file_ioctl_fence_info(struct sync_file *sync_file,
unsigned long arg)
{
- struct sync_file_info *info;
+ struct sync_file_info in, *info;
__u32 size;
- __u32 len = 0;
+ __u32 b_len, len = 0;
int ret, i;
- if (copy_from_user(&size, (void __user *)arg, sizeof(size)))
+ if (copy_from_user(&in, (void __user *)arg, sizeof(*info)))
return -EFAULT;
+ if (in.status || in.num_fences || in.sync_fence_info ||
+ strcmp(in.name, "\0"))
+ return -EFAULT;
+
+ size = in.len;
+
if (size < sizeof(struct sync_file_info))
return -EINVAL;
@@ -527,8 +533,9 @@ static long sync_file_ioctl_fence_info(struct sync_file *sync_file,
info->num_fences = sync_file->num_fences;
- len = sizeof(struct sync_file_info) - sizeof(__u64);
+ b_len = sizeof(struct sync_file_info) - sizeof(__u64);
+ len = b_len;
for (i = 0; i < sync_file->num_fences; ++i) {
struct fence *fence = sync_file->cbs[i].fence;
@@ -540,7 +547,7 @@ static long sync_file_ioctl_fence_info(struct sync_file *sync_file,
len += ret;
}
- info->len = len;
+ info->len = len - b_len;
if (copy_to_user((void __user *)arg, info, len))
ret = -EFAULT;
diff --git a/drivers/staging/android/uapi/sync.h b/drivers/staging/android/uapi/sync.h
index fc7fbcf..4e1d38b 100644
--- a/drivers/staging/android/uapi/sync.h
+++ b/drivers/staging/android/uapi/sync.h
@@ -42,19 +42,18 @@ struct sync_fence_info {
/**
* struct sync_file_info - data returned from fence info ioctl
- * @len: ioctl caller writes the size of the buffer its passing in.
- * ioctl returns length of sync_file_info returned to
- * userspace including pt_info.
* @name: name of fence
* @status: status of fence. 1: signaled 0:active <0:error
* @num_fences number of fences in the sync_file
+ * @len: ioctl caller writes the size of the buffer its passing in.
+ * ioctl returns length of all fence_infos summed.
* @sync_fence_info: array of sync_fence_info for every fence in the sync_file
*/
struct sync_file_info {
- __u32 len;
char name[32];
__s32 status;
__u32 num_fences;
+ __u32 len;
__u64 sync_fence_info;
};
--
2.5.0
Powered by blists - more mailing lists