projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 34ad7cd)
s390/vmcp: fix uaccess check and avoid undefined behavior
authorHeiko Carstens <heiko.carstens@de.ibm.com>
Mon, 7 Aug 2017 13:16:15 +0000 (15:16 +0200)
committerMartin Schwidefsky <schwidefsky@de.ibm.com>
Wed, 9 Aug 2017 13:09:32 +0000 (09:09 -0400)
The vmcp device driver should return -EFAULT if get_user() fails, due
to an invalid user space address. In addition the buffer size value
from user space is passed unchecked to get_order(). The return value
of get_order(0) undefined.

Therefore explicitly test for zero before calling get_order() and also
return -EFAULT if get_user() fails.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
drivers/s390/char/vmcp.c patch | blob | blame | history

diff --git a/drivers/s390/char/vmcp.c b/drivers/s390/char/vmcp.c
index 98749fa817dac98863cc36afb0822c49018ea89e..66d5e9f83e0d93231b7eb5ab80d1eca37da0fc37 100644 (file)
--- a/drivers/s390/char/vmcp.c
+++ b/drivers/s390/char/vmcp.c
@@ -150,7 +150,9 @@ static long vmcp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
                                get_order(session->bufsize));
                session->response=NULL;
                temp = get_user(session->bufsize, argp);
-               if (get_order(session->bufsize) > 8) {
+               if (temp)
+                       session->bufsize = PAGE_SIZE;
+               if (!session->bufsize || get_order(session->bufsize) > 8) {
                        session->bufsize = PAGE_SIZE;
                        temp = -EINVAL;
                }