From 36e844671cbdace27f0462a46cedde0a4d6b1001 Mon Sep 17 00:00:00 2001 From: Dongxiao Xu Date: Sun, 31 May 2009 14:43:35 +0800 Subject: [PATCH] Staging: heci: fix userspace pointer mess Fix userspace pointer mess. - In memcmp(), dest and src pointer should be both in kernel space. - Add (void __user *) modification before userspace pointer. Signed-off-by: Dongxiao Xu Signed-off-by: Greg Kroah-Hartman --- drivers/staging/heci/heci_main.c | 9 ++++++--- drivers/staging/heci/io_heci.c | 15 +++++++++------ 2 files changed, 15 insertions(+), 9 deletions(-) diff --git a/drivers/staging/heci/heci_main.c b/drivers/staging/heci/heci_main.c index 00e44c7..daf1107 100644 --- a/drivers/staging/heci/heci_main.c +++ b/drivers/staging/heci/heci_main.c @@ -1140,9 +1140,12 @@ static ssize_t heci_write(struct file *file, const char __user *ubuf, spin_lock(&file_ext->file_lock); file_ext->sm_state = 0; if ((length == 4) && - ((memcmp(heci_wd_state_independence_msg[0], ubuf, 4) == 0) || - (memcmp(heci_wd_state_independence_msg[1], ubuf, 4) == 0) || - (memcmp(heci_wd_state_independence_msg[2], ubuf, 4) == 0))) + ((memcmp(heci_wd_state_independence_msg[0], + priv_write_cb->request_buffer.data, 4) == 0) || + (memcmp(heci_wd_state_independence_msg[1], + priv_write_cb->request_buffer.data, 4) == 0) || + (memcmp(heci_wd_state_independence_msg[2], + priv_write_cb->request_buffer.data, 4) == 0))) file_ext->sm_state |= HECI_WD_STATE_INDEPENDENCE_MSG_SENT; spin_unlock(&file_ext->file_lock); diff --git a/drivers/staging/heci/io_heci.c b/drivers/staging/heci/io_heci.c index f7544a7..619eeed 100644 --- a/drivers/staging/heci/io_heci.c +++ b/drivers/staging/heci/io_heci.c @@ -111,7 +111,7 @@ int heci_ioctl_get_version(struct iamt_heci_device *dev, int if_num, rets = file_ext->status; /* now copy the data to user space */ - if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { + if (copy_to_user((void __user *)k_msg.data, res_msg.data, res_msg.size)) { rets = -EFAULT; goto end; } @@ -188,7 +188,7 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, /* copy the message to kernel space - * use a pointer already copied into kernel space */ - if (copy_from_user(req_msg.data, k_msg.data, k_msg.size)) { + if (copy_from_user(req_msg.data, (void __user *)k_msg.data, k_msg.size)) { rets = -EFAULT; goto end; } @@ -266,7 +266,8 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, spin_unlock_bh(&dev->device_lock); /* now copy the data to user space */ - if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { + if (copy_to_user((void __user *)k_msg.data, + res_msg.data, res_msg.size)) { rets = -EFAULT; goto end; } @@ -320,7 +321,8 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, DBG("successfully connected to FW client.\n"); rets = file_ext->status; /* now copy the data to user space */ - if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { + if (copy_to_user((void __user *)k_msg.data, + res_msg.data, res_msg.size)) { rets = -EFAULT; goto end; } @@ -394,7 +396,8 @@ int heci_ioctl_wd(struct iamt_heci_device *dev, int if_num, /* copy the message to kernel space - use a pointer already * copied into kernel space */ - if (copy_from_user(req_msg.data, k_msg.data, req_msg.size)) { + if (copy_from_user(req_msg.data, + (void __user *)k_msg.data, req_msg.size)) { rets = -EFAULT; goto end; } @@ -464,7 +467,7 @@ int heci_ioctl_bypass_wd(struct iamt_heci_device *dev, int if_num, return -EMSGSIZE; } spin_unlock(&file_ext->file_lock); - if (copy_from_user(&flag, k_msg.data, 1)) { + if (copy_from_user(&flag, (void __user *)k_msg.data, 1)) { rets = -EFAULT; goto end; } -- 2.7.4