Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ef87dbe7 authored by Matthew Daley's avatar Matthew Daley Committed by Linus Torvalds
Browse files

floppy: ignore kernel-only members in FDRAWCMD ioctl input 



Always clear out these floppy_raw_cmd struct members after copying the
entire structure from userspace so that the in-kernel version is always
valid and never left in an interdeterminate state.

Signed-off-by: default avatarMatthew Daley <mattd@bugfuzz.com>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 89ca3b88

drivers/block/floppy.c

+3 −3
Original line number Original line Diff line number Diff line
@@ -3121,10 +3121,11 @@ loop: 
		return -ENOMEM;

		return -ENOMEM;

	*rcmd = ptr;

	*rcmd = ptr;

	ret = copy_from_user(ptr, param, sizeof(*ptr));

	ret = copy_from_user(ptr, param, sizeof(*ptr));

	if (ret)

		return -EFAULT;

	ptr->next = NULL;

	ptr->next = NULL;

	ptr->buffer_length = 0;

	ptr->buffer_length = 0;

	ptr->kernel_data = NULL;

	if (ret)

		return -EFAULT;

	param += sizeof(struct floppy_raw_cmd);

	param += sizeof(struct floppy_raw_cmd);

	if (ptr->cmd_count > 33)

	if (ptr->cmd_count > 33)

			/* the command may now also take up the space

			/* the command may now also take up the space
@@ -3140,7 +3141,6 @@ loop: 
	for (i = 0; i < 16; i++)

	for (i = 0; i < 16; i++)

		ptr->reply[i] = 0;

		ptr->reply[i] = 0;

	ptr->resultcode = 0;

	ptr->resultcode = 0;

	ptr->kernel_data = NULL;





	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {

	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {

		if (ptr->length <= 0)

		if (ptr->length <= 0)