diff options
author | Dongxiao Xu <dongxiao.xu@intel.com> | 2009-05-31 14:43:35 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-06-19 11:00:54 -0700 |
commit | 36e844671cbdace27f0462a46cedde0a4d6b1001 (patch) | |
tree | 84f52daeb2f564f961ff0b3528e05355f1000850 | |
parent | 7a80bfcd1f4bac61d586d3551f74215ff02e9cba (diff) |
Staging: heci: fix userspace pointer mess
Fix userspace pointer mess.
- In memcmp(), dest and src pointer should be both in kernel space.
- Add (void __user *) modification before userspace pointer.
Signed-off-by: Dongxiao Xu <dongxiao.xu@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | drivers/staging/heci/heci_main.c | 9 | ||||
-rw-r--r-- | drivers/staging/heci/io_heci.c | 15 |
2 files changed, 15 insertions, 9 deletions
diff --git a/drivers/staging/heci/heci_main.c b/drivers/staging/heci/heci_main.c index 00e44c781428..daf1107cb8e0 100644 --- a/drivers/staging/heci/heci_main.c +++ b/drivers/staging/heci/heci_main.c @@ -1140,9 +1140,12 @@ static ssize_t heci_write(struct file *file, const char __user *ubuf, spin_lock(&file_ext->file_lock); file_ext->sm_state = 0; if ((length == 4) && - ((memcmp(heci_wd_state_independence_msg[0], ubuf, 4) == 0) || - (memcmp(heci_wd_state_independence_msg[1], ubuf, 4) == 0) || - (memcmp(heci_wd_state_independence_msg[2], ubuf, 4) == 0))) + ((memcmp(heci_wd_state_independence_msg[0], + priv_write_cb->request_buffer.data, 4) == 0) || + (memcmp(heci_wd_state_independence_msg[1], + priv_write_cb->request_buffer.data, 4) == 0) || + (memcmp(heci_wd_state_independence_msg[2], + priv_write_cb->request_buffer.data, 4) == 0))) file_ext->sm_state |= HECI_WD_STATE_INDEPENDENCE_MSG_SENT; spin_unlock(&file_ext->file_lock); diff --git a/drivers/staging/heci/io_heci.c b/drivers/staging/heci/io_heci.c index f7544a7bbbe0..619eeed87ea2 100644 --- a/drivers/staging/heci/io_heci.c +++ b/drivers/staging/heci/io_heci.c @@ -111,7 +111,7 @@ int heci_ioctl_get_version(struct iamt_heci_device *dev, int if_num, rets = file_ext->status; /* now copy the data to user space */ - if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { + if (copy_to_user((void __user *)k_msg.data, res_msg.data, res_msg.size)) { rets = -EFAULT; goto end; } @@ -188,7 +188,7 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, /* copy the message to kernel space - * use a pointer already copied into kernel space */ - if (copy_from_user(req_msg.data, k_msg.data, k_msg.size)) { + if (copy_from_user(req_msg.data, (void __user *)k_msg.data, k_msg.size)) { rets = -EFAULT; goto end; } @@ -266,7 +266,8 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, spin_unlock_bh(&dev->device_lock); /* now copy the data to user space */ - if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { + if (copy_to_user((void __user *)k_msg.data, + res_msg.data, res_msg.size)) { rets = -EFAULT; goto end; } @@ -320,7 +321,8 @@ int heci_ioctl_connect_client(struct iamt_heci_device *dev, int if_num, DBG("successfully connected to FW client.\n"); rets = file_ext->status; /* now copy the data to user space */ - if (copy_to_user(k_msg.data, res_msg.data, res_msg.size)) { + if (copy_to_user((void __user *)k_msg.data, + res_msg.data, res_msg.size)) { rets = -EFAULT; goto end; } @@ -394,7 +396,8 @@ int heci_ioctl_wd(struct iamt_heci_device *dev, int if_num, /* copy the message to kernel space - use a pointer already * copied into kernel space */ - if (copy_from_user(req_msg.data, k_msg.data, req_msg.size)) { + if (copy_from_user(req_msg.data, + (void __user *)k_msg.data, req_msg.size)) { rets = -EFAULT; goto end; } @@ -464,7 +467,7 @@ int heci_ioctl_bypass_wd(struct iamt_heci_device *dev, int if_num, return -EMSGSIZE; } spin_unlock(&file_ext->file_lock); - if (copy_from_user(&flag, k_msg.data, 1)) { + if (copy_from_user(&flag, (void __user *)k_msg.data, 1)) { rets = -EFAULT; goto end; } |