Commit 7a80bfcd authored by vibi sreenivasan's avatar vibi sreenivasan Committed by Greg Kroah-Hartman

Staging: rspiusb: copy_to/from_user related fixes

The patch does copy_to/from_user related fixes

*) __copy_from/to_user is enough for user space data buffer checked by access_ok.
*) return -EFAULT if __copy_from/to_user fails.
*) Do not use memcpy to copy from user space.
Signed-off-by: default avatarVibi Sreenivasan <vibi_sreenivasan@cms.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 8d2db516
...@@ -217,8 +217,10 @@ static int pixis_io(struct ioctl_struct *ctrl, struct device_extension *pdx, ...@@ -217,8 +217,10 @@ static int pixis_io(struct ioctl_struct *ctrl, struct device_extension *pdx,
dbg("numbytes to read = %d", numbytes); dbg("numbytes to read = %d", numbytes);
dbg("endpoint # %d", ctrl->endpoint); dbg("endpoint # %d", ctrl->endpoint);
if (copy_from_user(uBuf, ctrl->pData, numbytes)) if (copy_from_user(uBuf, ctrl->pData, numbytes)) {
dbg("copying ctrl->pData to dummyBuf failed"); dbg("copying ctrl->pData to dummyBuf failed");
return -EFAULT;
}
do { do {
i = usb_bulk_msg(pdx->udev, pdx->hEP[ctrl->endpoint], i = usb_bulk_msg(pdx->udev, pdx->hEP[ctrl->endpoint],
...@@ -304,9 +306,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, ...@@ -304,9 +306,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
} }
switch (cmd) { switch (cmd) {
case PIUSB_GETVNDCMD: case PIUSB_GETVNDCMD:
if (copy_from_user if (__copy_from_user
(&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) {
dev_err(&pdx->udev->dev, "copy_from_user failed\n"); dev_err(&pdx->udev->dev, "copy_from_user failed\n");
return -EFAULT;
}
dbg("%s %x\n", "Get Vendor Command = ", ctrl.cmd); dbg("%s %x\n", "Get Vendor Command = ", ctrl.cmd);
retval = retval =
usb_control_msg(pdx->udev, usb_rcvctrlpipe(pdx->udev, 0), usb_control_msg(pdx->udev, usb_rcvctrlpipe(pdx->udev, 0),
...@@ -321,9 +325,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, ...@@ -321,9 +325,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
return retval; return retval;
case PIUSB_SETVNDCMD: case PIUSB_SETVNDCMD:
if (copy_from_user if (__copy_from_user
(&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) {
dev_err(&pdx->udev->dev, "copy_from_user failed\n"); dev_err(&pdx->udev->dev, "copy_from_user failed\n");
return -EFAULT;
}
/* dbg( "%s %x", "Set Vendor Command = ",ctrl.cmd ); */ /* dbg( "%s %x", "Set Vendor Command = ",ctrl.cmd ); */
controlData = ctrl.pData[0]; controlData = ctrl.pData[0];
controlData |= (ctrl.pData[1] << 8); controlData |= (ctrl.pData[1] << 8);
...@@ -341,9 +347,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, ...@@ -341,9 +347,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
return ((pdx->udev->speed == USB_SPEED_HIGH) ? 1 : 0); return ((pdx->udev->speed == USB_SPEED_HIGH) ? 1 : 0);
case PIUSB_WRITEPIPE: case PIUSB_WRITEPIPE:
if (copy_from_user(&ctrl, (void __user *)arg, _IOC_SIZE(cmd))) if (__copy_from_user(&ctrl, (void __user *)arg, _IOC_SIZE(cmd))) {
dev_err(&pdx->udev->dev, dev_err(&pdx->udev->dev,
"copy_from_user WRITE_DUMMY failed\n"); "copy_from_user WRITE_DUMMY failed\n");
return -EFAULT;
}
if (!access_ok(VERIFY_READ, ctrl.pData, ctrl.numbytes)) { if (!access_ok(VERIFY_READ, ctrl.pData, ctrl.numbytes)) {
dbg("can't access pData"); dbg("can't access pData");
return 0; return 0;
...@@ -352,9 +360,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, ...@@ -352,9 +360,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
return ctrl.numbytes; return ctrl.numbytes;
case PIUSB_USERBUFFER: case PIUSB_USERBUFFER:
if (copy_from_user if (__copy_from_user
(&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) {
dev_err(&pdx->udev->dev, "copy_from_user failed\n"); dev_err(&pdx->udev->dev, "copy_from_user failed\n");
return -EFAULT;
}
return MapUserBuffer((struct ioctl_struct *) &ctrl, pdx); return MapUserBuffer((struct ioctl_struct *) &ctrl, pdx);
case PIUSB_UNMAP_USERBUFFER: case PIUSB_UNMAP_USERBUFFER:
...@@ -362,10 +372,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, ...@@ -362,10 +372,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
return retval; return retval;
case PIUSB_READPIPE: case PIUSB_READPIPE:
if (copy_from_user(&ctrl, (void __user *)arg, if (__copy_from_user(&ctrl, (void __user *)arg,
sizeof(struct ioctl_struct))) sizeof(struct ioctl_struct))) {
dev_err(&pdx->udev->dev, "copy_from_user failed\n"); dev_err(&pdx->udev->dev, "copy_from_user failed\n");
return -EFAULT;
}
if (((0 == ctrl.endpoint) && (PIXIS_PID == pdx->iama)) || if (((0 == ctrl.endpoint) && (PIXIS_PID == pdx->iama)) ||
(1 == ctrl.endpoint) || /* ST133IO */ (1 == ctrl.endpoint) || /* ST133IO */
(4 == ctrl.endpoint)) /* PIXIS IO */ (4 == ctrl.endpoint)) /* PIXIS IO */
...@@ -383,9 +394,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd, ...@@ -383,9 +394,11 @@ static int piusb_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
case PIUSB_SETFRAMESIZE: case PIUSB_SETFRAMESIZE:
dbg("PIUSB_SETFRAMESIZE"); dbg("PIUSB_SETFRAMESIZE");
if (copy_from_user if (__copy_from_user
(&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) (&ctrl, (void __user *)arg, sizeof(struct ioctl_struct))) {
dev_err(&pdx->udev->dev, "copy_from_user failed\n"); dev_err(&pdx->udev->dev, "copy_from_user failed\n");
return -EFAULT;
}
pdx->frameSize = ctrl.numbytes; pdx->frameSize = ctrl.numbytes;
pdx->num_frames = ctrl.numFrames; pdx->num_frames = ctrl.numFrames;
if (!pdx->sgl) if (!pdx->sgl)
...@@ -451,7 +464,10 @@ int piusb_output(struct ioctl_struct *io, unsigned char *uBuf, int len, ...@@ -451,7 +464,10 @@ int piusb_output(struct ioctl_struct *io, unsigned char *uBuf, int len,
dev_err(&pdx->udev->dev, "buffer_alloc failed\n"); dev_err(&pdx->udev->dev, "buffer_alloc failed\n");
return -ENOMEM; return -ENOMEM;
} }
memcpy(kbuf, uBuf, len); if(__copy_from_user(kbuf, uBuf, len)) {
dev_err(&pdx->udev->dev, "__copy_from_user failed\n");
return -EFAULT;
}
usb_fill_bulk_urb(urb, pdx->udev, pdx->hEP[io->endpoint], kbuf, usb_fill_bulk_urb(urb, pdx->udev, pdx->hEP[io->endpoint], kbuf,
len, piusb_write_bulk_callback, pdx); len, piusb_write_bulk_callback, pdx);
urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment