Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4280cfd5 authored by Kamal Negi's avatar Kamal Negi
Browse files

radio-iris: Use copy_from_user API to access userspace memory 



Directly accessing userspace memory pointer in kernel space without
checking validity of pointer. This can lead to security vulnerability.
Use copy_from_user API's to make sure there is no illegal memory access.

Change-Id: I66a0b1931814ee19634a30dee02a5600066aa70b
Signed-off-by: default avatarKamal Negi <kamaln@codeaurora.org>
parent 4a2c6023

drivers/media/radio/radio-iris.c

+13 −3
Original line number Diff line number Diff line
@@ -3745,6 +3745,7 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv, 
	struct hci_fm_set_cal_req_proc proc_cal_req;

	struct hci_fm_set_spur_table_req spur_tbl_req;

	char *spur_data;

	char tmp_buf[2];



	struct iris_device *radio = video_get_drvdata(video_devdata(file));

	char *data = NULL;
@@ -3881,9 +3882,18 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv, 
	case V4L2_CID_PRIVATE_IRIS_SET_SPURTABLE:

		memset(&spur_tbl_req, 0, sizeof(spur_tbl_req));

		data = (ctrl->controls[0]).string;

		bytes_to_copy = (ctrl->controls[0]).size;

		spur_tbl_req.mode = data[0];

		spur_tbl_req.no_of_freqs_entries = data[1];

		if (copy_from_user(&bytes_to_copy, &((ctrl->controls[0]).size),

					sizeof(bytes_to_copy))) {

			retval = -EFAULT;

			goto END;

		}

		if (copy_from_user(&tmp_buf[0], &data[0],

					sizeof(tmp_buf))) {

			retval = -EFAULT;

			goto END;

		}

		spur_tbl_req.mode = tmp_buf[0];

		spur_tbl_req.no_of_freqs_entries = tmp_buf[1];



		if (((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) !=

					bytes_to_copy - 2) ||