Re: Misc 2.5 Fixes: cp-user-cmpci

From: Dipankar Sarma (dipankar@in.ibm.com)
Date: Tue Jun 10 2003 - 05:09:50 EST


Fix copy/user problems. Not sure why cm_write() needs to do
acces_ok() on buffer twice. Also __get_user() return value isn't checked
in trans_ac3().

 sound/oss/cmpci.c | 19 +++++++++++++------
 1 files changed, 13 insertions(+), 6 deletions(-)

diff -puN sound/oss/cmpci.c~cp-user-cmpci sound/oss/cmpci.c
--- linux-2.5.70-ds/sound/oss/cmpci.c~cp-user-cmpci 2003-06-08 15:36:16.000000000 +0530
+++ linux-2.5.70-ds-dipankar/sound/oss/cmpci.c 2003-06-08 20:39:03.000000000 +0530
@@ -588,7 +588,8 @@ static void trans_ac3(struct cm_state *s
         unsigned short *src = (unsigned short *)source;
 
         do {
- data = (unsigned long) *src++;
+ __get_user(data, src);
+ src++;
                 data <<= 12; // ok for 16-bit data
                 if (s->spdif_counter == 2 || s->spdif_counter == 3)
                         data |= 0x40000000; // indicate AC-3 raw data
@@ -1600,9 +1601,9 @@ static ssize_t cm_write(struct file *fil
                         return -ENXIO;
                 if (!s->dma_adc.ready && (ret = prog_dmabuf(s, 1)))
                         return ret;
- if (!access_ok(VERIFY_READ, buffer, count))
- return -EFAULT;
         }
+ if (!access_ok(VERIFY_READ, buffer, count))
+ return -EFAULT;
         ret = 0;
 
         while (count > 0) {
@@ -1662,15 +1663,21 @@ static ssize_t cm_write(struct file *fil
                         swptr = (swptr + 2 * cnt) % s->dma_dac.dmasize;
                 } else if (s->status & DO_DUAL_DAC) {
                         int i;
- unsigned long *src, *dst0, *dst1;
+ unsigned long *src, *dst0, *dst1, data;
 
                         src = (unsigned long *) buffer;
                         dst0 = (unsigned long *) (s->dma_dac.rawbuf + swptr);
                         dst1 = (unsigned long *) (s->dma_adc.rawbuf + swptr);
                         // copy left/right sample at one time
                         for (i = 0; i <= cnt / 4; i++) {
- *dst0++ = *src++;
- *dst1++ = *src++;
+ if (__get_user(data, src))
+ return ret ? ret : -EFAULT;
+ *dst0++ = data;
+ src++;
+ if (__get_user(data, src))
+ return ret ? ret : -EFAULT;
+ *dst1++ = data;
+ src++;
                         }
                         swptr = (swptr + cnt) % s->dma_dac.dmasize;
                 } else {

_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jun 15 2003 - 22:00:23 EST