Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 29973f8a authored Apr 18, 2019 by Fuqian Huang Committed by Greg Kroah-Hartman Apr 25, 2019

tty: rocket: Remove RCPK_GET_STRUCT ioctl



If the cmd is RCPK_GET_STRUCT, copy_to_user will copy
info to user space. As info->port.ops is the address of
a constant object rocket_port_ops (assigned in init_r_port),
a kernel address leakage happens.

Remove the RCPK_GET_STRUCT ioctl.

Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent 8daa89e0

drivers/tty/rocket.c

+0 −4

Original line number	Diff line number	Diff line
		@@ -1283,10 +1283,6 @@ static int rp_ioctl(struct tty_struct *tty,
		return -ENXIO;

		switch (cmd) {
		case RCKP_GET_STRUCT:
		if (copy_to_user(argp, info, sizeof (struct r_port)))
		ret = -EFAULT;
		break;
		case RCKP_GET_CONFIG:
		ret = get_config(info, argp);
		break;

drivers/tty/rocket.h

+0 −1

Original line number	Diff line number	Diff line
		@@ -71,7 +71,6 @@ struct rocket_version {
		/*
		* Rocketport ioctls -- "RP"
		*/
		#define RCKP_GET_STRUCT 0x00525001
		#define RCKP_GET_CONFIG 0x00525002
		#define RCKP_SET_CONFIG 0x00525003
		#define RCKP_GET_PORTS 0x00525004