Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / aa63e18e3ddad4eb15d4af34ae66e7f4dcc7a6d0
commitaa63e18e3ddad4eb15d4af34ae66e7f4dcc7a6d0[log] [tgz]
authorSolomon Peachy <pizza@shaftnet.org>Tue Jun 04 23:37:05 2013 -0400
committerJohn W. Linville <linville@tuxdriver.com>Mon Jun 10 14:41:25 2013 -0400
tree4fd3cb8439a8efc71e4b768257dbaea6f8dddbec
parentcc2588eabbe46820a86e55fccec8b741e15f647f [diff]
cw1200: Sanity-check arguments in copy_from_user()

The optional debugfs interface to the vendor's engineering tools wasn't
bounds checking at all, which made it trivial to perform a buffer
overflow if this interface was compiled in and then explicitly enabled
at runtime.

This patch checks both the length supplied as part of the data to ensure
it is sane, and also the amount of data compared to the remaining buffer
space.  If either is too large, fail immediately.

(This bug was spotted by Dan Carpenter <dan.carpenter@oracle.com>)

Signed-off-by: Solomon Peachy <pizza@shaftnet.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
1 file changed
tree: 4fd3cb8439a8efc71e4b768257dbaea6f8dddbec
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS