|
|
e293be |
Replace this with patch-copy_from_user-warning-v2.patch .
|
|
|
e293be |
|
|
|
e293be |
diff -up ./drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c.cfu ./drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c
|
|
|
e293be |
--- ./drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c.cfu 2018-10-30 20:06:59.000000000 +0900
|
|
|
e293be |
|
|
|
e293be |
@@ -4494,12 +4494,16 @@ int vmw_execbuf_ioctl(struct drm_device
|
|
|
e293be |
return -EINVAL;
|
|
|
e293be |
}
|
|
|
e293be |
|
|
|
e293be |
- if (arg.version > 1 &&
|
|
|
e293be |
- copy_from_user(&arg.context_handle,
|
|
|
e293be |
- (void __user *) (data + copy_offset[0]),
|
|
|
e293be |
- copy_offset[arg.version - 1] -
|
|
|
e293be |
- copy_offset[0]) != 0)
|
|
|
e293be |
- return -EFAULT;
|
|
|
e293be |
+ if (arg.version > 1) {
|
|
|
e293be |
+ /* to make copy_from_user() happy, check bounds beforehand */
|
|
|
e293be |
+ size_t copysize = copy_offset[arg.version - 1] - copy_offset[0];
|
|
|
e293be |
+ if (copysize > sizeof(arg.context_handle))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
+ if (copy_from_user(&arg.context_handle,
|
|
|
e293be |
+ (void __user *) (data + copy_offset[0]),
|
|
|
e293be |
+ copysize) != 0)
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
+ }
|
|
|
e293be |
|
|
|
e293be |
switch (arg.version) {
|
|
|
e293be |
case 1:
|
|
|
e293be |
diff -up ./drivers/isdn/hardware/avm/b1.c.cfu ./drivers/isdn/hardware/avm/b1.c
|
|
|
e293be |
--- ./drivers/isdn/hardware/avm/b1.c.cfu 2018-10-05 05:18:19.000000000 +0900
|
|
|
e293be |
|
|
|
e293be |
@@ -176,6 +176,8 @@ int b1_load_t4file(avmcard *card, capilo
|
|
|
e293be |
}
|
|
|
e293be |
if (left) {
|
|
|
e293be |
if (t4file->user) {
|
|
|
e293be |
+ if (left > sizeof(buf))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
if (copy_from_user(buf, dp, left))
|
|
|
e293be |
return -EFAULT;
|
|
|
e293be |
} else {
|
|
|
e293be |
@@ -224,6 +226,8 @@ int b1_load_config(avmcard *card, capilo
|
|
|
e293be |
}
|
|
|
e293be |
if (left) {
|
|
|
e293be |
if (config->user) {
|
|
|
e293be |
+ if (left > sizeof(buf))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
if (copy_from_user(buf, dp, left))
|
|
|
e293be |
return -EFAULT;
|
|
|
e293be |
} else {
|
|
|
e293be |
diff -up ./fs/binfmt_misc.c.cfu ./fs/binfmt_misc.c
|
|
|
e293be |
--- ./fs/binfmt_misc.c.cfu 2018-10-05 05:18:19.000000000 +0900
|
|
|
e293be |
|
|
|
e293be |
@@ -396,12 +396,12 @@ static int parse_command(const char __us
|
|
|
e293be |
{
|
|
|
e293be |
char s[4];
|
|
|
e293be |
|
|
|
e293be |
- if (!count)
|
|
|
e293be |
- return 0;
|
|
|
e293be |
if (count > 3)
|
|
|
e293be |
return -EINVAL;
|
|
|
e293be |
if (copy_from_user(s, buffer, count))
|
|
|
e293be |
return -EFAULT;
|
|
|
e293be |
+ if (!count)
|
|
|
e293be |
+ return 0;
|
|
|
e293be |
if (s[count-1] == '\n')
|
|
|
e293be |
count
|
|
|
e293be |
if (count == 1 && s[0] == '0')
|
|
|
e293be |
diff -up ./kernel/sys.c.cfu ./kernel/sys.c
|
|
|
e293be |
--- ./kernel/sys.c.cfu 2018-10-05 05:18:19.000000000 +0900
|
|
|
e293be |
|
|
|
e293be |
@@ -2097,7 +2097,10 @@ static int prctl_set_mm_map(int opt, con
|
|
|
e293be |
return error;
|
|
|
e293be |
|
|
|
e293be |
if (prctl_map.auxv_size) {
|
|
|
e293be |
+ unsigned long arg4 = prctl_map.auxv_size;
|
|
|
e293be |
memset(user_auxv, 0, sizeof(user_auxv));
|
|
|
e293be |
+ if (arg4 > sizeof(user_auxv))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
if (copy_from_user(user_auxv,
|
|
|
e293be |
(const void __user *)prctl_map.auxv,
|
|
|
e293be |
prctl_map.auxv_size))
|
|
|
e293be |
diff -up ./net/core/pktgen.c.cfu ./net/core/pktgen.c
|
|
|
e293be |
--- ./net/core/pktgen.c.cfu 2018-10-05 05:18:19.000000000 +0900
|
|
|
e293be |
|
|
|
e293be |
@@ -881,6 +881,8 @@ static ssize_t pktgen_if_write(struct fi
|
|
|
e293be |
return len;
|
|
|
e293be |
|
|
|
e293be |
memset(name, 0, sizeof(name));
|
|
|
e293be |
+ if (len > sizeof(name))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
if (copy_from_user(name, &user_buffer[i], len))
|
|
|
e293be |
return -EFAULT;
|
|
|
e293be |
i += len;
|
|
|
e293be |
@@ -1798,6 +1800,8 @@ static ssize_t pktgen_thread_write(struc
|
|
|
e293be |
return len;
|
|
|
e293be |
|
|
|
e293be |
memset(name, 0, sizeof(name));
|
|
|
e293be |
+ if (len > sizeof(name))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
if (copy_from_user(name, &user_buffer[i], len))
|
|
|
e293be |
return -EFAULT;
|
|
|
e293be |
i += len;
|
|
|
e293be |
@@ -1828,6 +1832,8 @@ static ssize_t pktgen_thread_write(struc
|
|
|
e293be |
ret = len;
|
|
|
e293be |
goto out;
|
|
|
e293be |
}
|
|
|
e293be |
+ if (len > sizeof(f))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
if (copy_from_user(f, &user_buffer[i], len))
|
|
|
e293be |
return -EFAULT;
|
|
|
e293be |
i += len;
|
|
|
e293be |
diff -up ./sound/core/seq/seq_clientmgr.c.cfu ./sound/core/seq/seq_clientmgr.c
|
|
|
e293be |
--- ./sound/core/seq/seq_clientmgr.c.cfu 2018-10-05 05:18:19.000000000 +0900
|
|
|
e293be |
|
|
|
e293be |
@@ -2136,6 +2136,8 @@ static long snd_seq_ioctl(struct file *f
|
|
|
e293be |
*/
|
|
|
e293be |
size = _IOC_SIZE(handler->cmd);
|
|
|
e293be |
if (handler->cmd & IOC_IN) {
|
|
|
e293be |
+ if (size > sizeof(buf))
|
|
|
e293be |
+ return -EFAULT;
|
|
|
e293be |
if (copy_from_user(&buf, (const void __user *)arg, size))
|
|
|
e293be |
return -EFAULT;
|
|
|
e293be |
}
|