Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0ef6a63c authored by Liangliang Lu's avatar Liangliang Lu
Browse files

usb: dwc3: Replace sscanf with kstrtou8_from_user 



Variable "ubuf " may point to  kernel address, a malicious user
could use code logic to get kernel information. Use
kstrtou8_from_user() which take care of copying buffer, and finding
u8 value here.

Change-Id: I7228d893ef757c814b26745663270b8a461b1728
Signed-off-by: default avatarLiangliang Lu <luliang@codeaurora.org>
parent 3f91f859

drivers/usb/dwc3/debugfs.c

+13 −5
Original line number Diff line number Diff line
@@ -897,21 +897,30 @@ void dwc3_dbg_print_reg(struct dwc3 *dwc, const char *name, int reg) 
static ssize_t dwc3_store_int_events(struct file *file,

			const char __user *ubuf, size_t count, loff_t *ppos)

{

	int clear_stats, i;

	int i, ret;

	unsigned long flags;

	struct seq_file *s = file->private_data;

	struct dwc3 *dwc = s->private;

	struct dwc3_ep *dep;

	struct timespec ts;

	u8 clear_stats;



	if (ubuf == NULL) {

		pr_err("[%s] EINVAL\n", __func__);

		goto done;

		ret = -EINVAL;

		return ret;

	}



	if (sscanf(ubuf, "%u", &clear_stats) != 1 || clear_stats != 0) {

	ret = kstrtou8_from_user(ubuf, count, 0, &clear_stats);

	if (ret < 0) {

		pr_err("can't get enter value.\n");

		return ret;

	}



	if (clear_stats != 0) {

		pr_err("Wrong value. To clear stats, enter value as 0.\n");

		goto done;

		ret = -EINVAL;

		return ret;

	}



	spin_lock_irqsave(&dwc->lock, flags);
@@ -928,7 +937,6 @@ static ssize_t dwc3_store_int_events(struct file *file, 


	spin_unlock_irqrestore(&dwc->lock, flags);



done:

	return count;

}