mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
38 lines
1.1 KiB
Diff
38 lines
1.1 KiB
Diff
From 9bc30c0d1832f7dd5b6fa10d5e48a29025176569 Mon Sep 17 00:00:00 2001
|
|
From: Raviv Shvili <rshvili@codeaurora.org>
|
|
Date: Thu, 31 Oct 2013 17:38:19 +0200
|
|
Subject: mmc: core : fix arbitrary read/write to user space
|
|
|
|
In the MMC card debug_fs the read and write handlers use the strlcat
|
|
and sscanf, without checking the pointer given.
|
|
Since the pointer is not checked it is possible to write
|
|
everywhere (ring 0 or 3).
|
|
In order to fix it, an access_ok function is being used to verify
|
|
the buffer's pointer supplied by user is valid.
|
|
|
|
CRs-fixed: 545716
|
|
|
|
Change-Id: I13ca736337fefe29ff9b0df6a318e7d92240f8b2
|
|
Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
|
|
---
|
|
drivers/mmc/core/debugfs.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c
|
|
index 9897f9f..4ec8941 100644
|
|
--- a/drivers/mmc/core/debugfs.c
|
|
+++ b/drivers/mmc/core/debugfs.c
|
|
@@ -647,6 +647,9 @@ static ssize_t mmc_bkops_stats_write(struct file *filp,
|
|
if (!card)
|
|
return cnt;
|
|
|
|
+ if (!access_ok(VERIFY_READ, ubuf, cnt))
|
|
+ return cnt;
|
|
+
|
|
bkops_stats = &card->bkops_info.bkops_stats;
|
|
|
|
sscanf(ubuf, "%d", &value);
|
|
--
|
|
cgit v1.1
|
|
|