evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

USB: gadget: mbim: Avoid copying uninitialized data to userspace

Browse source 
A race condition bug in function 'mbim_bind_config' allows to
change 'mbim->xport' type to invalid value. This allows
mbim_ioctl() to copy the uninitialized data to userspace. Fix
this by avoiding copy_to_user() call when transport type is invalid.

Change-Id: If8e8b6d4e2c347e1aff529bed0a798128eaea07c
CRs-Fixed: 1102418
Signed-off-by: Arumuga Durai A <cadurai@codeaurora.org>
This commit is contained in:
Arumuga Durai A 2016-12-27 19:50:06 +05:30
parent a6d83d2e8e
commit 489ce6427f
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
drivers/usb/gadget/function/f_mbim.c
View file

@ -2027,7 +2027,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
default:
ret = -ENODEV;
pr_err("unknown transport\n");
break;
goto fail;
}
ret = copy_to_user((void __user *)arg, &info,
@ -2043,6 +2043,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
ret = -EINVAL;
}
fail:
mbim_unlock(&mbim->ioctl_excl);
return ret;