From b26adf880eba03ac6f2b1dd87426bb96fd2a0282 Mon Sep 17 00:00:00 2001
From: Scotty Bauer <sbauer@xxxxxxxxxxxx>
Date: Tue, 1 Dec 2015 10:52:46 -0700
Subject: [PATCH] dm ioctl: Access user-land memory through safe functions.
This patch fixes a user-land dereference. Now we use
the safe copy_from_user to access the memory.
Signed-off-by: Scotty Bauer <sbauer@xxxxxxxxxxxx>
---
drivers/md/dm-ioctl.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 80a4395..39a9d1a 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1642,9 +1642,13 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
static int check_version(unsigned int cmd, struct dm_ioctl __user *user)
{
uint32_t version[3];
+ uint32_t __user *version_ptr;
int r = 0;
- if (copy_from_user(version, user->version, sizeof(version)))
+ if (copy_from_user(&version_ptr, &user->version, sizeof(version_ptr)))
+ return -EFAULT;
+
+ if (copy_from_user(version, version_ptr, sizeof(version)))
return -EFAULT;
if ((DM_VERSION_MAJOR != version[0]) ||
@@ -1663,7 +1667,7 @@ static int check_version(unsigned int cmd, struct dm_ioctl __user *user)
version[0] = DM_VERSION_MAJOR;
version[1] = DM_VERSION_MINOR;
version[2] = DM_VERSION_PATCHLEVEL;
- if (copy_to_user(user->version, version, sizeof(version)))
+ if (copy_to_user(version_ptr, version, sizeof(version)))
return -EFAULT;
return r;
--
1.9.1
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
