From: Philippe Retornaz Date: Fri, 2 Jun 2006 03:48:46 +0000 (-0700) Subject: [PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=786dc1d3d7333f269e17d742886eac2188a2d9cc;p=GitHub%2Fmoto-9609%2Fandroid_kernel_motorola_exynos9610.git [PATCH] usb: drivers/usb/core/devio.c dereferences a userspace pointer See http://bugzilla.kernel.org/show_bug.cgi?id=6617. This function dereference a __user pointer. Signed-off-by: Philippe Retornaz Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c index df3fb57d71e6..2eda52fc1ebc 100644 --- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1078,7 +1078,9 @@ static int proc_submiturb(struct dev_state *ps, void __user *arg) if (copy_from_user(&uurb, arg, sizeof(uurb))) return -EFAULT; - return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg); + return proc_do_submiturb(ps, &uurb, + (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, + arg); } static int proc_unlinkurb(struct dev_state *ps, void __user *arg) @@ -1203,7 +1205,9 @@ static int proc_submiturb_compat(struct dev_state *ps, void __user *arg) if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg)) return -EFAULT; - return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg); + return proc_do_submiturb(ps, &uurb, + (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, + arg); } static int processcompl_compat(struct async *as, void __user * __user *arg)