Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 45c571f4 authored by Raviv Shvili's avatar Raviv Shvili
Browse files

mmc: core : fix arbitrary read/write to user space 



In the MMC card debug_fs the read and write handlers use the strlcat
and sscanf, without checking the pointer given.
Since the pointer is not checked it is possible to write
everywhere (ring 0 or 3).
In order to fix it, an access_ok function is being used to verify
the buffer's pointer supplied by user is valid.

CRs-fixed: 545716

Change-Id: I13ca736337fefe29ff9b0df6a318e7d92240f8b2
Signed-off-by: default avatarRaviv Shvili <rshvili@codeaurora.org>
parent c936945a

drivers/mmc/core/debugfs.c

+3 −0
Original line number Diff line number Diff line
@@ -663,6 +663,9 @@ static ssize_t mmc_bkops_stats_write(struct file *filp, 
	if (!card)

		return cnt;



	if (!access_ok(VERIFY_READ, ubuf, cnt))

		return cnt;



	bkops_stats = &card->bkops_info.bkops_stats;



	sscanf(ubuf, "%d", &value);