DivestOS/Patches/Linux_CVEs/CVE-2016-10236/ANY/0.patch

42 lines
1.3 KiB
Diff
Raw Normal View History

From b8199c2b852f1e23c988e10b8fbb8d34c98b4a1c Mon Sep 17 00:00:00 2001
From: Arumuga Durai A <cadurai@codeaurora.org>
Date: Tue, 27 Dec 2016 19:50:06 +0530
Subject: USB: gadget: mbim: Avoid copying uninitialized data to userspace
A race condition bug in function 'mbim_bind_config' allows to
change 'mbim->xport' type to invalid value. This allows
mbim_ioctl() to copy the uninitialized data to userspace. Fix
this by avoiding copy_to_user() call when transport type is invalid.
Change-Id: If8e8b6d4e2c347e1aff529bed0a798128eaea07c
CRs-Fixed: 1102418
Signed-off-by: Arumuga Durai A <cadurai@codeaurora.org>
---
drivers/usb/gadget/function/f_mbim.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/f_mbim.c b/drivers/usb/gadget/function/f_mbim.c
index 717ee23..84c0066 100644
--- a/drivers/usb/gadget/function/f_mbim.c
+++ b/drivers/usb/gadget/function/f_mbim.c
@@ -2030,7 +2030,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
default:
ret = -ENODEV;
pr_err("unknown transport\n");
- break;
+ goto fail;
}
ret = copy_to_user((void __user *)arg, &info,
@@ -2046,6 +2046,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
ret = -EINVAL;
}
+fail:
mbim_unlock(&mbim->ioctl_excl);
return ret;
--
cgit v1.1