[PATCH] dm ioctl: Access user-land memory through safe functions.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From b26adf880eba03ac6f2b1dd87426bb96fd2a0282 Mon Sep 17 00:00:00 2001
From: Scotty Bauer <sbauer@xxxxxxxxxxxx>
Date: Tue, 1 Dec 2015 10:52:46 -0700
Subject: [PATCH] dm ioctl: Access user-land memory through safe functions.

This patch fixes a user-land dereference. Now we use
the safe copy_from_user to access the memory.

Signed-off-by: Scotty Bauer <sbauer@xxxxxxxxxxxx>
---
 drivers/md/dm-ioctl.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index 80a4395..39a9d1a 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1642,9 +1642,13 @@ static ioctl_fn lookup_ioctl(unsigned int cmd, int *ioctl_flags)
 static int check_version(unsigned int cmd, struct dm_ioctl __user *user)
 {
 	uint32_t version[3];
+	uint32_t __user *version_ptr;
 	int r = 0;
 
-	if (copy_from_user(version, user->version, sizeof(version)))
+	if (copy_from_user(&version_ptr, &user->version, sizeof(version_ptr)))
+		return -EFAULT;
+
+	if (copy_from_user(version, version_ptr, sizeof(version)))
 		return -EFAULT;
 
 	if ((DM_VERSION_MAJOR != version[0]) ||
@@ -1663,7 +1667,7 @@ static int check_version(unsigned int cmd, struct dm_ioctl __user *user)
 	version[0] = DM_VERSION_MAJOR;
 	version[1] = DM_VERSION_MINOR;
 	version[2] = DM_VERSION_PATCHLEVEL;
-	if (copy_to_user(user->version, version, sizeof(version)))
+	if (copy_to_user(version_ptr, version, sizeof(version)))
 		return -EFAULT;
 
 	return r;
-- 
1.9.1

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel

[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux