From: Heiko Carstens Date: Mon, 7 Aug 2017 13:16:15 +0000 (+0200) Subject: s390/vmcp: fix uaccess check and avoid undefined behavior X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=267239cc10f18251892a0783104df3dc22b620d5;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git s390/vmcp: fix uaccess check and avoid undefined behavior The vmcp device driver should return -EFAULT if get_user() fails, due to an invalid user space address. In addition the buffer size value from user space is passed unchecked to get_order(). The return value of get_order(0) undefined. Therefore explicitly test for zero before calling get_order() and also return -EFAULT if get_user() fails. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky --- diff --git a/drivers/s390/char/vmcp.c b/drivers/s390/char/vmcp.c index 98749fa817da..66d5e9f83e0d 100644 --- a/drivers/s390/char/vmcp.c +++ b/drivers/s390/char/vmcp.c @@ -150,7 +150,9 @@ static long vmcp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) get_order(session->bufsize)); session->response=NULL; temp = get_user(session->bufsize, argp); - if (get_order(session->bufsize) > 8) { + if (temp) + session->bufsize = PAGE_SIZE; + if (!session->bufsize || get_order(session->bufsize) > 8) { session->bufsize = PAGE_SIZE; temp = -EINVAL; }