DivestOS/Patches/Linux_CVEs/CVE-2014-9790/ANY/0001.patch
2017-11-07 17:32:46 -05:00

65 lines
1.8 KiB
Diff

From 6ed921bda8cbb505e8654dfc1095185b0bccc38e Mon Sep 17 00:00:00 2001
From: Raviv Shvili <rshvili@codeaurora.org>
Date: Tue, 1 Oct 2013 17:18:29 +0300
Subject: mmc: core : fix arbitrary read/write to user space
In the MMC card debug_fs the read and write handlers use the strlcat
and sscanf, without checking the pointer given.
Since the pointer is not checked it is possible to write
everywhere (ring 0 or 3).
In order to fix it, an access_ok function is being used to verify
the buffer's pointer supplied by user is valid.
CRs-fixed: 545716
Change-Id: Ia710b6af5a95974fc930ca902e8ff18afa4e17ba
Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
---
drivers/mmc/core/debugfs.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c
index 903decf..9897f9f 100644
--- a/drivers/mmc/core/debugfs.c
+++ b/drivers/mmc/core/debugfs.c
@@ -15,6 +15,7 @@
#include <linux/slab.h>
#include <linux/stat.h>
#include <linux/fault-inject.h>
+#include <linux/uaccess.h>
#include <linux/mmc/card.h>
#include <linux/mmc/host.h>
@@ -392,6 +393,9 @@ static ssize_t mmc_wr_pack_stats_read(struct file *filp, char __user *ubuf,
if (!card)
return cnt;
+ if (!access_ok(VERIFY_WRITE, ubuf, cnt))
+ return cnt;
+
if (!card->wr_pack_stats.print_in_read)
return 0;
@@ -532,6 +536,9 @@ static ssize_t mmc_wr_pack_stats_write(struct file *filp,
if (!card)
return cnt;
+ if (!access_ok(VERIFY_READ, ubuf, cnt))
+ return cnt;
+
sscanf(ubuf, "%d", &value);
if (value) {
mmc_blk_init_packed_statistics(card);
@@ -571,6 +578,9 @@ static ssize_t mmc_bkops_stats_read(struct file *filp, char __user *ubuf,
if (!card)
return cnt;
+ if (!access_ok(VERIFY_WRITE, ubuf, cnt))
+ return cnt;
+
bkops_stats = &card->bkops_info.bkops_stats;
if (!bkops_stats->print_stats)
--
cgit v1.1