sanitize do_i2c_smbus_ioctl()
authorAl Viro <viro@zeniv.linux.org.uk>
Tue, 2 May 2017 16:46:27 +0000 (12:46 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Thu, 25 May 2017 21:52:59 +0000 (17:52 -0400)
no need to mess with __copy_in_user()

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/compat_ioctl.c

index 6116d5275a3ecc7f95d3e3009cca261f8b7c075d..2237e28fd5e196a4470ac3ea8f60965fcea029f9 100644 (file)
@@ -739,23 +739,22 @@ static int do_i2c_smbus_ioctl(struct file *file,
                unsigned int cmd, struct i2c_smbus_ioctl_data32   __user *udata)
 {
        struct i2c_smbus_ioctl_data     __user *tdata;
-       compat_caddr_t                  datap;
+       union {
+               /* beginnings of those have identical layouts */
+               struct i2c_smbus_ioctl_data32   data32;
+               struct i2c_smbus_ioctl_data     data;
+       } v;
 
        tdata = compat_alloc_user_space(sizeof(*tdata));
        if (tdata == NULL)
                return -ENOMEM;
-       if (!access_ok(VERIFY_WRITE, tdata, sizeof(*tdata)))
-               return -EFAULT;
 
-       if (!access_ok(VERIFY_READ, udata, sizeof(*udata)))
+       memset(&v, 0, sizeof(v));
+       if (copy_from_user(&v.data32, udata, sizeof(v.data32)))
                return -EFAULT;
+       v.data.data = compat_ptr(v.data32.data);
 
-       if (__copy_in_user(&tdata->read_write, &udata->read_write, 2 * sizeof(u8)))
-               return -EFAULT;
-       if (__copy_in_user(&tdata->size, &udata->size, 2 * sizeof(u32)))
-               return -EFAULT;
-       if (__get_user(datap, &udata->data) ||
-           __put_user(compat_ptr(datap), &tdata->data))
+       if (copy_to_user(tdata, &v.data, sizeof(v.data)))
                return -EFAULT;
 
        return do_ioctl(file, cmd, (unsigned long)tdata);