mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
104 lines
3.0 KiB
Diff
104 lines
3.0 KiB
Diff
|
From 96a62c1de93a44e6ca69514411baf4b3d67f6dee Mon Sep 17 00:00:00 2001
|
||
|
|
From: Lee Susman <lsusman@codeaurora.org>
|
||
|
|
Date: Mon, 11 Nov 2013 08:53:40 +0200
|
||
|
|
Subject: mmc: card: fix arbitrary write via read handler in mmc_block_test
|
||
|
|
|
||
|
|
In mmc_block_test, the debug_fs based read function handlers write to an
|
||
|
|
arbitrary buffer which is given by any user. We add an access_ok check
|
||
|
|
to verify that the address pointed by *buffer is not in kernel space.
|
||
|
|
Only if the buffer is valid, do we continue the read handler.
|
||
|
|
|
||
|
|
Change-Id: I35fe9bb70df8de92cb4d3b15c851aa9131a0e8d9
|
||
|
|
Signed-off-by: Lee Susman <lsusman@codeaurora.org>
|
||
|
|
---
|
||
|
|
drivers/mmc/card/mmc_block_test.c | 24 ++++++++++++++++++++++++
|
||
|
|
1 file changed, 24 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/drivers/mmc/card/mmc_block_test.c b/drivers/mmc/card/mmc_block_test.c
|
||
|
|
index ea73352..b24c367 100644
|
||
|
|
--- a/drivers/mmc/card/mmc_block_test.c
|
||
|
|
+++ b/drivers/mmc/card/mmc_block_test.c
|
||
|
|
@@ -2219,6 +2219,9 @@ static ssize_t send_write_packing_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
@@ -2317,6 +2320,9 @@ static ssize_t err_check_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
@@ -2425,6 +2431,9 @@ static ssize_t send_invalid_packed_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
@@ -2539,6 +2548,9 @@ static ssize_t write_packing_control_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
@@ -2621,6 +2633,9 @@ static ssize_t bkops_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
@@ -2709,6 +2724,9 @@ static ssize_t long_sequential_read_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
@@ -2869,6 +2887,9 @@ static ssize_t long_sequential_write_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
@@ -2942,6 +2963,9 @@ static ssize_t new_req_notification_test_read(struct file *file,
|
||
|
|
size_t count,
|
||
|
|
loff_t *offset)
|
||
|
|
{
|
||
|
|
+ if (!access_ok(VERIFY_WRITE, buffer, count))
|
||
|
|
+ return count;
|
||
|
|
+
|
||
|
|
memset((void *)buffer, 0, count);
|
||
|
|
|
||
|
|
snprintf(buffer, count,
|
||
|
|
--
|
||
|
|
cgit v1.1
|
||
|
|
|