Commit 18753ebc authored by Michael Buesch's avatar Michael Buesch Committed by Greg Kroah-Hartman

USB: devio: Properly do access_ok() checks

access_ok() checks must be done on every part of the userspace structure
that is accessed. If access_ok() on one part of the struct succeeded, it
does not imply it will succeed on other parts of the struct. (Does
depend on the architecture implementation of access_ok()).

This changes the __get_user() users to first check access_ok() on the
data structure.
Signed-off-by: default avatarMichael Buesch <mb@bu3sch.de>
Cc: stable <stable@kernel.org>
Cc: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 49276560
...@@ -1321,7 +1321,8 @@ static int get_urb32(struct usbdevfs_urb *kurb, ...@@ -1321,7 +1321,8 @@ static int get_urb32(struct usbdevfs_urb *kurb,
struct usbdevfs_urb32 __user *uurb) struct usbdevfs_urb32 __user *uurb)
{ {
__u32 uptr; __u32 uptr;
if (get_user(kurb->type, &uurb->type) || if (!access_ok(VERIFY_READ, uurb, sizeof(*uurb)) ||
__get_user(kurb->type, &uurb->type) ||
__get_user(kurb->endpoint, &uurb->endpoint) || __get_user(kurb->endpoint, &uurb->endpoint) ||
__get_user(kurb->status, &uurb->status) || __get_user(kurb->status, &uurb->status) ||
__get_user(kurb->flags, &uurb->flags) || __get_user(kurb->flags, &uurb->flags) ||
...@@ -1536,8 +1537,9 @@ static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg) ...@@ -1536,8 +1537,9 @@ static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg)
u32 udata; u32 udata;
uioc = compat_ptr((long)arg); uioc = compat_ptr((long)arg);
if (get_user(ctrl.ifno, &uioc->ifno) || if (!access_ok(VERIFY_READ, uioc, sizeof(*uioc)) ||
get_user(ctrl.ioctl_code, &uioc->ioctl_code) || __get_user(ctrl.ifno, &uioc->ifno) ||
__get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
__get_user(udata, &uioc->data)) __get_user(udata, &uioc->data))
return -EFAULT; return -EFAULT;
ctrl.data = compat_ptr(udata); ctrl.data = compat_ptr(udata);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment