Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c779ef0e authored by Mayank Rana's avatar Mayank Rana Committed by Gerrit - the friendly Code Review server
Browse files

f_gsi: Use kernel buffer instead of user space provided buffer 



gsi_ctrl_dev_write() and gsi_ctrl_dev_read() API is directly using user
space provided buffer when qti_packet_debug is enabled. This can result
into using untrusted buffer pointer. Hence use cpkt->buf i.e. kernel
space buffer pointer instead of directly using user space provided buffer.

CRs-Fixed: 2061391
Change-Id: Iba6f2845dae2755446b4b8e9f3041686877d7bc4
Signed-off-by: default avatarMayank Rana <mrana@codeaurora.org>
parent 827c6ada

drivers/usb/gadget/function/f_gsi.c

+2 −2
Original line number Diff line number Diff line
@@ -1432,7 +1432,7 @@ gsi_ctrl_dev_read(struct file *fp, char __user *buf, size_t count, loff_t *pos) 
	log_event_dbg("%s: cpkt size:%d", __func__, cpkt->len);

	if (qti_packet_debug)

		print_hex_dump(KERN_DEBUG, "READ:", DUMP_PREFIX_OFFSET, 16, 1,

			buf, min_t(int, 30, cpkt->len), false);

			cpkt->buf, min_t(int, 30, cpkt->len), false);



	ret = copy_to_user(buf, cpkt->buf, cpkt->len);

	if (ret) {
@@ -1505,7 +1505,7 @@ static ssize_t gsi_ctrl_dev_write(struct file *fp, const char __user *buf, 
	c_port->copied_from_modem++;

	if (qti_packet_debug)

		print_hex_dump(KERN_DEBUG, "WRITE:", DUMP_PREFIX_OFFSET, 16, 1,

			buf, min_t(int, 30, count), false);

			cpkt->buf, min_t(int, 30, count), false);



	spin_lock_irqsave(&c_port->lock, flags);

	list_add_tail(&cpkt->list, &c_port->cpkt_resp_q);