fbdev: smscufx: properly copy ioctl memory to kernelspace

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The UFX_IOCTL_REPORT_DAMAGE ioctl does not properly copy data from
userspace to kernelspace, and instead directly references the memory,
which can cause problems if invalid data is passed from userspace. Fix
this all up by correctly copying the memory before accessing it within
the kernel.

Reported-by: Tianchu Chen <flynnnchen@tencent.com>
Cc: stable <stable@kernel.org>
Cc: Steve Glendinning <steve.glendinning@shawell.net>
Cc: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Helge Deller <deller@gmx.de>

authored by

Greg Kroah-Hartman and committed by

Helge Deller 4 months ago 120adae7 0209e21e

+6 -2

1 changed file

expand all

drivers

video

fbdev

smscufx.c

+6 -2

drivers/video/fbdev/smscufx.c

··· 932 932 unsigned long arg) 933 933 { 934 934 struct ufx_data *dev = info->par; 935 - struct dloarea *area = NULL; 936 935 937 936 if (!atomic_read(&dev->usb_active)) 938 937 return 0; ··· 946 947 947 948 /* TODO: Help propose a standard fb.h ioctl to report mmap damage */ 948 949 if (cmd == UFX_IOCTL_REPORT_DAMAGE) { 950 + struct dloarea *area __free(kfree) = kmalloc(sizeof(*area), GFP_KERNEL); 951 + if (!area) 952 + return -ENOMEM; 953 + 949 954 /* If we have a damage-aware client, turn fb_defio "off" 950 955 * To avoid perf imact of unnecessary page fault handling. 951 956 * Done by resetting the delay for this fb_info to a very ··· 959 956 if (info->fbdefio) 960 957 info->fbdefio->delay = UFX_DEFIO_WRITE_DISABLE; 961 958 962 - area = (struct dloarea *)arg; 959 + if (copy_from_user(area, (u8 __user *)arg, sizeof(*area))) 960 + return -EFAULT; 963 961 964 962 if (area->x < 0) 965 963 area->x = 0;

Configure Feed

Configure Feed