From patchwork Thu Oct 21 05:46:58 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 270141 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by demeter1.kernel.org (8.14.4/8.14.3) with ESMTP id o9L5lDIv000395 for ; Thu, 21 Oct 2010 05:47:14 GMT Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754199Ab0JUFrM (ORCPT ); Thu, 21 Oct 2010 01:47:12 -0400 Received: from mail-ww0-f44.google.com ([74.125.82.44]:34976 "EHLO mail-ww0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754173Ab0JUFrL (ORCPT ); Thu, 21 Oct 2010 01:47:11 -0400 Received: by wwf26 with SMTP id 26so2134452wwf.1 for ; Wed, 20 Oct 2010 22:47:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:to:cc:subject :message-id:mime-version:content-type:content-disposition:user-agent; bh=H3raS9ZznZ/i3h3ApDNH02+QFwQ+GRLzhCoW74iU1cA=; b=QbAOfDjpgituYzXdOKpqZ0zyT5YcCERJWswgzdCDJYFvK1Z9q2pnOiJy7sVEjtw2zc ilUNkaJNbWVmU48YLnG+KA6moatKiJsKvYy7yh2l+B6r1uzP1BrQbBYvqJOgzmbapoEM aceoApQjhqqBFBmxiMDTi6Ea2XBuBP9Mc1mHc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:to:cc:subject:message-id:mime-version:content-type :content-disposition:user-agent; b=Vir4/u+WxWk5cbBs+niCFQuIqOafloO/S/jIrKiL5wiSMYIItjWdFePL2VunelTbfn ZbYZXPGhXy/PxaC+do7bI5n/6yg5LtOUf58Rzit7qVYgegNAkRegmkadCqPXQSI7o4e+ cMJXex+RwV+YnkWf5bbIMoBNtZ8HXxehAlMPM= Received: by 10.227.156.68 with SMTP id v4mr459353wbw.224.1287640029459; Wed, 20 Oct 2010 22:47:09 -0700 (PDT) Received: from bicker (h3f06.n1.ips.mtn.co.ug [41.210.191.6]) by mx.google.com with ESMTPS id ga16sm962826wbb.19.2010.10.20.22.47.04 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 20 Oct 2010 22:47:08 -0700 (PDT) Date: Thu, 21 Oct 2010 07:46:58 +0200 From: Dan Carpenter To: Greg Kroah-Hartman Cc: Arnd Bergmann , devel@driverdev.osuosl.org, kernel-janitors@vger.kernel.org, linux-wireless@vger.kernel.org Subject: [patch] Staging: bcm: use get_user() to access user pointers Message-ID: <20101021054657.GE5985@bicker> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-4.2.3 (demeter1.kernel.org [140.211.167.41]); Thu, 21 Oct 2010 05:47:14 +0000 (UTC) diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c index 77fdfe2..fead9c5 100644 --- a/drivers/staging/bcm/Bcmchar.c +++ b/drivers/staging/bcm/Bcmchar.c @@ -1001,13 +1001,15 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) } #endif case IOCTL_BE_BUCKET_SIZE: - Adapter->BEBucketSize = *(PULONG)arg; - Status = STATUS_SUCCESS; + Status = 0; + if (get_user(Adapter->BEBucketSize, (unsigned long __user *)arg)) + Status = -EFAULT; break; case IOCTL_RTPS_BUCKET_SIZE: - Adapter->rtPSBucketSize = *(PULONG)arg; - Status = STATUS_SUCCESS; + Status = 0; + if (get_user(Adapter->rtPSBucketSize, (unsigned long __user *)arg)) + Status = -EFAULT; break; case IOCTL_CHIP_RESET: { @@ -1028,11 +1030,15 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) case IOCTL_QOS_THRESHOLD: { USHORT uiLoopIndex; - for(uiLoopIndex = 0 ; uiLoopIndex < NO_OF_QUEUES ; uiLoopIndex++) - { - Adapter->PackInfo[uiLoopIndex].uiThreshold = *(PULONG)arg; + + Status = 0; + for (uiLoopIndex = 0; uiLoopIndex < NO_OF_QUEUES; uiLoopIndex++) { + if (get_user(Adapter->PackInfo[uiLoopIndex].uiThreshold, + (unsigned long __user *)arg)) { + Status = -EFAULT; + break; + } } - Status = STATUS_SUCCESS; break; } @@ -1093,7 +1099,8 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) } case IOCTL_BCM_GET_CURRENT_STATUS: { - LINK_STATE *plink_state = NULL; + LINK_STATE plink_state; + /* Copy Ioctl Buffer structure */ if(copy_from_user(&IoBuffer, argp, sizeof(IOCTL_BUFFER))) { @@ -1101,13 +1108,19 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) Status = -EFAULT; break; } - plink_state = (LINK_STATE*)arg; - plink_state->bIdleMode = (UCHAR)Adapter->IdleMode; - plink_state->bShutdownMode = Adapter->bShutStatus; - plink_state->ucLinkStatus = (UCHAR)Adapter->LinkStatus; - if(copy_to_user(IoBuffer.OutputBuffer, - (PUCHAR)plink_state, (UINT)IoBuffer.OutputLength)) - { + if (IoBuffer.OutputLength != sizeof(plink_state)) { + Status = -EINVAL; + break; + } + + if (copy_from_user(&plink_state, (void __user *)arg, sizeof(plink_state))) { + Status = -EFAULT; + break; + } + plink_state.bIdleMode = (UCHAR)Adapter->IdleMode; + plink_state.bShutdownMode = Adapter->bShutStatus; + plink_state.ucLinkStatus = (UCHAR)Adapter->LinkStatus; + if (copy_to_user(IoBuffer.OutputBuffer, &plink_state, IoBuffer.OutputLength)) { BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0, "Copy_to_user Failed..\n"); Status = -EFAULT; break; @@ -1331,7 +1344,9 @@ static long bcm_char_ioctl(struct file *filp, UINT cmd, ULONG arg) BCM_DEBUG_PRINT(Adapter,DBG_TYPE_PRINTK, 0, 0,"Copy From User space failed. status :%d", Status); return -EFAULT; } - uiSectorSize = *((PUINT)(IoBuffer.InputBuffer)); /* FIXME: unchecked __user access */ + if (get_user(uiSectorSize, (unsigned int __user *)IoBuffer.InputBuffer)) + return -EFAULT; + if((uiSectorSize < MIN_SECTOR_SIZE) || (uiSectorSize > MAX_SECTOR_SIZE)) {