diff options
author | Ashutosh Dixit <ashutosh.dixit@intel.com> | 2016-04-27 14:36:05 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2016-04-27 15:30:58 -0700 |
commit | 82dc4afd7e65455464f0fc2fe6976efde54fe451 (patch) | |
tree | 8d84c648ca1e8f0684ac16435dfa9f5c91c30747 | |
parent | c3b46c73264b03000d1e18b22f5caf63332547c9 (diff) | |
download | linux-stable-82dc4afd7e65455464f0fc2fe6976efde54fe451.tar.gz linux-stable-82dc4afd7e65455464f0fc2fe6976efde54fe451.tar.bz2 linux-stable-82dc4afd7e65455464f0fc2fe6976efde54fe451.zip |
misc: mic: Fix for double fetch security bug in VOP driver
The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com>
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r-- | drivers/misc/mic/vop/vop_vringh.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c index e94c7fb6712a..88e45234d527 100644 --- a/drivers/misc/mic/vop/vop_vringh.c +++ b/drivers/misc/mic/vop/vop_vringh.c @@ -945,6 +945,11 @@ static long vop_ioctl(struct file *f, unsigned int cmd, unsigned long arg) ret = -EFAULT; goto free_ret; } + /* Ensure desc has not changed between the two reads */ + if (memcmp(&dd, dd_config, sizeof(dd))) { + ret = -EINVAL; + goto free_ret; + } mutex_lock(&vdev->vdev_mutex); mutex_lock(&vi->vop_mutex); ret = vop_virtio_add_device(vdev, dd_config); |