mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-30 01:46:30 -05:00
42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From b8199c2b852f1e23c988e10b8fbb8d34c98b4a1c Mon Sep 17 00:00:00 2001
|
|
From: Arumuga Durai A <cadurai@codeaurora.org>
|
|
Date: Tue, 27 Dec 2016 19:50:06 +0530
|
|
Subject: USB: gadget: mbim: Avoid copying uninitialized data to userspace
|
|
|
|
A race condition bug in function 'mbim_bind_config' allows to
|
|
change 'mbim->xport' type to invalid value. This allows
|
|
mbim_ioctl() to copy the uninitialized data to userspace. Fix
|
|
this by avoiding copy_to_user() call when transport type is invalid.
|
|
|
|
Change-Id: If8e8b6d4e2c347e1aff529bed0a798128eaea07c
|
|
CRs-Fixed: 1102418
|
|
Signed-off-by: Arumuga Durai A <cadurai@codeaurora.org>
|
|
---
|
|
drivers/usb/gadget/function/f_mbim.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/usb/gadget/function/f_mbim.c b/drivers/usb/gadget/function/f_mbim.c
|
|
index 717ee23..84c0066 100644
|
|
--- a/drivers/usb/gadget/function/f_mbim.c
|
|
+++ b/drivers/usb/gadget/function/f_mbim.c
|
|
@@ -2030,7 +2030,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
|
|
default:
|
|
ret = -ENODEV;
|
|
pr_err("unknown transport\n");
|
|
- break;
|
|
+ goto fail;
|
|
}
|
|
|
|
ret = copy_to_user((void __user *)arg, &info,
|
|
@@ -2046,6 +2046,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
|
|
ret = -EINVAL;
|
|
}
|
|
|
|
+fail:
|
|
mbim_unlock(&mbim->ioctl_excl);
|
|
|
|
return ret;
|
|
--
|
|
cgit v1.1
|
|
|