diff options
author | Ashutosh Dixit <ashutosh.dixit@intel.com> | 2016-04-27 14:36:05 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2016-04-27 15:29:46 -0700 |
commit | 9bf292bfca94694a721449e3fd752493856710f6 (patch) | |
tree | 5e084b022abdcfec6719a6ae3d4c5cf023ec2409 /drivers/misc/mic | |
parent | 2fc5ddaa3f1f1d7a1f7f455e287e97bf298ab8d7 (diff) | |
download | linux-stable-9bf292bfca94694a721449e3fd752493856710f6.tar.gz linux-stable-9bf292bfca94694a721449e3fd752493856710f6.tar.bz2 linux-stable-9bf292bfca94694a721449e3fd752493856710f6.zip |
misc: mic: Fix for double fetch security bug in VOP driver
The MIC VOP driver does two successive reads from user space to read a
variable length data structure. Kernel memory corruption can result if
the data structure changes between the two reads. This patch disallows
the chance of this happening.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116651
Reported by: Pengfei Wang <wpengfeinudt@gmail.com>
Reviewed-by: Sudeep Dutt <sudeep.dutt@intel.com>
Signed-off-by: Ashutosh Dixit <ashutosh.dixit@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/misc/mic')
-rw-r--r-- | drivers/misc/mic/vop/vop_vringh.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/drivers/misc/mic/vop/vop_vringh.c b/drivers/misc/mic/vop/vop_vringh.c index e94c7fb6712a..88e45234d527 100644 --- a/drivers/misc/mic/vop/vop_vringh.c +++ b/drivers/misc/mic/vop/vop_vringh.c @@ -945,6 +945,11 @@ static long vop_ioctl(struct file *f, unsigned int cmd, unsigned long arg) ret = -EFAULT; goto free_ret; } + /* Ensure desc has not changed between the two reads */ + if (memcmp(&dd, dd_config, sizeof(dd))) { + ret = -EINVAL; + goto free_ret; + } mutex_lock(&vdev->vdev_mutex); mutex_lock(&vi->vop_mutex); ret = vop_virtio_add_device(vdev, dd_config); |