diff options
authorRaviv Shvili <rshvili@codeaurora.org>2013-10-31 17:38:19 +0200
committerGerrit - the friendly Code Review server <code-review@localhost>2013-12-19 11:05:44 -0800
commit9bc30c0d1832f7dd5b6fa10d5e48a29025176569 (patch)
parent6ed921bda8cbb505e8654dfc1095185b0bccc38e (diff)
mmc: core : fix arbitrary read/write to user space
In the MMC card debug_fs the read and write handlers use the strlcat and sscanf, without checking the pointer given. Since the pointer is not checked it is possible to write everywhere (ring 0 or 3). In order to fix it, an access_ok function is being used to verify the buffer's pointer supplied by user is valid. CRs-fixed: 545716 Change-Id: I13ca736337fefe29ff9b0df6a318e7d92240f8b2 Signed-off-by: Raviv Shvili <rshvili@codeaurora.org>
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c
index 9897f9f..4ec8941 100644
--- a/drivers/mmc/core/debugfs.c
+++ b/drivers/mmc/core/debugfs.c
@@ -647,6 +647,9 @@ static ssize_t mmc_bkops_stats_write(struct file *filp,
if (!card)
return cnt;
+ if (!access_ok(VERIFY_READ, ubuf, cnt))
+ return cnt;
bkops_stats = &card->bkops_info.bkops_stats;
sscanf(ubuf, "%d", &value);