From 267239cc10f18251892a0783104df3dc22b620d5 Mon Sep 17 00:00:00 2001
From: Heiko Carstens <heiko.carstens@de.ibm.com>
Date: Mon, 7 Aug 2017 15:16:15 +0200
Subject: [PATCH] s390/vmcp: fix uaccess check and avoid undefined behavior

The vmcp device driver should return -EFAULT if get_user() fails, due
to an invalid user space address. In addition the buffer size value
from user space is passed unchecked to get_order(). The return value
of get_order(0) undefined.

Therefore explicitly test for zero before calling get_order() and also
return -EFAULT if get_user() fails.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
---
 drivers/s390/char/vmcp.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/s390/char/vmcp.c b/drivers/s390/char/vmcp.c
index 98749fa817da..66d5e9f83e0d 100644
--- a/drivers/s390/char/vmcp.c
+++ b/drivers/s390/char/vmcp.c
@@ -150,7 +150,9 @@ static long vmcp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 				get_order(session->bufsize));
 		session->response=NULL;
 		temp = get_user(session->bufsize, argp);
-		if (get_order(session->bufsize) > 8) {
+		if (temp)
+			session->bufsize = PAGE_SIZE;
+		if (!session->bufsize || get_order(session->bufsize) > 8) {
 			session->bufsize = PAGE_SIZE;
 			temp = -EINVAL;
 		}
-- 
2.20.1