diff options
author | Heiko Carstens <heiko.carstens@de.ibm.com> | 2017-08-07 15:16:15 +0200 |
---|---|---|
committer | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2017-08-09 09:09:32 -0400 |
commit | 267239cc10f18251892a0783104df3dc22b620d5 (patch) | |
tree | f420241fbc3f469085c8d5a2105a90b3fd4d26ac /drivers/s390 | |
parent | 34ad7cdc1bb2ea65934d235be89fabf1bb40d824 (diff) |
s390/vmcp: fix uaccess check and avoid undefined behavior
The vmcp device driver should return -EFAULT if get_user() fails, due
to an invalid user space address. In addition the buffer size value
from user space is passed unchecked to get_order(). The return value
of get_order(0) undefined.
Therefore explicitly test for zero before calling get_order() and also
return -EFAULT if get_user() fails.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Diffstat (limited to 'drivers/s390')
-rw-r--r-- | drivers/s390/char/vmcp.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/s390/char/vmcp.c b/drivers/s390/char/vmcp.c index 98749fa817da..66d5e9f83e0d 100644 --- a/drivers/s390/char/vmcp.c +++ b/drivers/s390/char/vmcp.c @@ -150,7 +150,9 @@ static long vmcp_ioctl(struct file *file, unsigned int cmd, unsigned long arg) get_order(session->bufsize)); session->response=NULL; temp = get_user(session->bufsize, argp); - if (get_order(session->bufsize) > 8) { + if (temp) + session->bufsize = PAGE_SIZE; + if (!session->bufsize || get_order(session->bufsize) > 8) { session->bufsize = PAGE_SIZE; temp = -EINVAL; } |