Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6bf850d5 authored by Arun KS's avatar Arun KS
Browse files

esoc: Fix user space corruption due to wrong data type 



ESOC IOCTL was designed to transfer data of type unsigned int, but
was pushing data of unsigned long type. Hence causing data corruption
in user space. Fix this by changing put user to use unsigned int.

Change-Id: Ia233eedd76f1ca1ec3036889d6764e568ee975dd
Signed-off-by: default avatarArun KS <arunks@codeaurora.org>
parent 40116ce2

drivers/esoc/esoc_dev.c

+4 −4
Original line number Diff line number Diff line 
/* Copyright (c) 2013-2014, The Linux Foundation. All rights reserved.

/* Copyright (c) 2013-2014, 2017, The Linux Foundation. All rights reserved.

 *

 * This program is free software; you can redistribute it and/or modify

 * it under the terms of the GNU General Public License version 2 and
@@ -214,7 +214,7 @@ static long esoc_dev_ioctl(struct file *file, unsigned int cmd, 
							esoc_clink->name);

				return -EIO;

			}

			put_user(req, (unsigned long __user *)uarg);

			put_user(req, (unsigned int __user *)uarg);



		}

		return err;
@@ -227,7 +227,7 @@ static long esoc_dev_ioctl(struct file *file, unsigned int cmd, 
		err = clink_ops->get_status(&status, esoc_clink);

		if (err)

			return err;

		put_user(status, (unsigned long __user *)uarg);

		put_user(status, (unsigned int __user *)uarg);

		break;

	case ESOC_WAIT_FOR_CRASH:

		err = wait_event_interruptible(esoc_udev->evt_wait,
@@ -241,7 +241,7 @@ static long esoc_dev_ioctl(struct file *file, unsigned int cmd, 
							esoc_clink->name);

				return -EIO;

			}

			put_user(evt, (unsigned long __user *)uarg);

			put_user(evt, (unsigned int __user *)uarg);

		}

		return err;

		break;

include/uapi/linux/esoc_ctrl.h

+5 −5
Original line number Diff line number Diff line
@@ -3,11 +3,11 @@ 


#define ESOC_CODE		0xCC



#define ESOC_CMD_EXE		_IOW(ESOC_CODE, 1, u32)

#define ESOC_WAIT_FOR_REQ	_IOR(ESOC_CODE, 2, u32)

#define ESOC_NOTIFY		_IOW(ESOC_CODE, 3, u32)

#define ESOC_GET_STATUS		_IOR(ESOC_CODE, 4, u32)

#define ESOC_WAIT_FOR_CRASH	_IOR(ESOC_CODE, 6, u32)

#define ESOC_CMD_EXE		_IOW(ESOC_CODE, 1, unsigned int)

#define ESOC_WAIT_FOR_REQ	_IOR(ESOC_CODE, 2, unsigned int)

#define ESOC_NOTIFY		_IOW(ESOC_CODE, 3, unsigned int)

#define ESOC_GET_STATUS		_IOR(ESOC_CODE, 4, unsigned int)

#define ESOC_WAIT_FOR_CRASH	_IOR(ESOC_CODE, 6, unsigned int)

#define ESOC_REG_REQ_ENG	_IO(ESOC_CODE, 7)

#define ESOC_REG_CMD_ENG	_IO(ESOC_CODE, 8)