Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b8199c2b authored by Arumuga Durai A's avatar Arumuga Durai A
Browse files

USB: gadget: mbim: Avoid copying uninitialized data to userspace 



A race condition bug in function 'mbim_bind_config' allows to
change 'mbim->xport' type to invalid value. This allows
mbim_ioctl() to copy the uninitialized data to userspace. Fix
this by avoiding copy_to_user() call when transport type is invalid.

Change-Id: If8e8b6d4e2c347e1aff529bed0a798128eaea07c
CRs-Fixed: 1102418
Signed-off-by: default avatarArumuga Durai A <cadurai@codeaurora.org>
parent e5c91c68

drivers/usb/gadget/function/f_mbim.c

+2 −1
Original line number Diff line number Diff line
@@ -2030,7 +2030,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg) 
		default:

			ret = -ENODEV;

			pr_err("unknown transport\n");

			break;

			goto fail;

		}



		ret = copy_to_user((void __user *)arg, &info,
@@ -2046,6 +2046,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg) 
		ret = -EINVAL;

	}



fail:

	mbim_unlock(&mbim->ioctl_excl);



	return ret;