evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mmc: core : fix arbitrary read/write to user space

Browse source 
In the MMC card debug_fs the read and write handlers use the strlcat
and sscanf, without checking the pointer given.
Since the pointer is not checked it is possible to write
everywhere (ring 0 or 3).
In order to fix it, an access_ok function is being used to verify
the buffer's pointer supplied by user is valid.

CRs-fixed: 545716
Change-Id: Ia710b6af5a95974fc930ca902e8ff18afa4e17ba
Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
[merez@codeaurora.org: Fixed conflicts due to missing BKOPS statistics]
Signed-off-by: Maya Erez <merez@codeaurora.org>
This commit is contained in:
Raviv Shvili 2014-12-06 20:06:27 +02:00 committed by Subhash Jadavani
parent a35f5e1cc4
commit 3f3e47cfbb
1 changed files with 7 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
drivers/mmc/core/debugfs.c
View file

@ -15,6 +15,7 @@
#include <linux/slab.h>
#include <linux/stat.h>
#include <linux/fault-inject.h>
#include <linux/uaccess.h>
#include <linux/mmc/card.h>
#include <linux/mmc/host.h>
@ -424,6 +425,9 @@ static ssize_t mmc_wr_pack_stats_read(struct file *filp, char __user *ubuf,
if (!card)
return cnt;
if (!access_ok(VERIFY_WRITE, ubuf, cnt))
return cnt;
if (!card->wr_pack_stats.print_in_read)
return 0;
@ -564,6 +568,9 @@ static ssize_t mmc_wr_pack_stats_write(struct file *filp,
if (!card)
return cnt;
if (!access_ok(VERIFY_READ, ubuf, cnt))
return cnt;
sscanf(ubuf, "%d", &value);
if (value) {
mmc_blk_init_packed_statistics(card);