Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 96a62c1d authored by Lee Susman's avatar Lee Susman
Browse files

mmc: card: fix arbitrary write via read handler in mmc_block_test 



In mmc_block_test, the debug_fs based read function handlers write to an
arbitrary buffer which is given by any user. We add an access_ok check
to verify that the address pointed by *buffer is not in kernel space.
Only if the buffer is valid, do we continue the read handler.

Change-Id: I35fe9bb70df8de92cb4d3b15c851aa9131a0e8d9
Signed-off-by: default avatarLee Susman <lsusman@codeaurora.org>
parent e2d29664

drivers/mmc/card/mmc_block_test.c

+24 −0
Original line number Diff line number Diff line
@@ -2219,6 +2219,9 @@ static ssize_t send_write_packing_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,
@@ -2317,6 +2320,9 @@ static ssize_t err_check_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,
@@ -2425,6 +2431,9 @@ static ssize_t send_invalid_packed_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,
@@ -2539,6 +2548,9 @@ static ssize_t write_packing_control_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,
@@ -2621,6 +2633,9 @@ static ssize_t bkops_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,
@@ -2709,6 +2724,9 @@ static ssize_t long_sequential_read_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,
@@ -2869,6 +2887,9 @@ static ssize_t long_sequential_write_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,
@@ -2942,6 +2963,9 @@ static ssize_t new_req_notification_test_read(struct file *file, 
			       size_t count,

			       loff_t *offset)

{

	if (!access_ok(VERIFY_WRITE, buffer, count))

		return count;



	memset((void *)buffer, 0, count);



	snprintf(buffer, count,