[PATCH] hwtracing: stm: avoid a double-fetch case when fetching policy id

From: Kangjie Lu
Date: Tue Dec 25 2018 - 15:10:42 EST

Next message: Kangjie Lu: "[PATCH] scsi: avoid a double-fetch and a redundant copy"
Previous message: Kangjie Lu: "[PATCH] wmi: avoid a double-fetch issue in wmi_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"size" is fetched from user space and security checked. The fix avoids
fetching it again. Since "size" is no longer used after the second
fetch in the current code, so let's just skip copying "size" in the
second fetch.

Signed-off-by: Kangjie Lu <kjlu@xxxxxxx>
---
drivers/hwtracing/stm/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
index 93ce3aa740a9..55df1d374c57 100644
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -752,7 +752,8 @@ static int stm_char_policy_set_ioctl(struct stm_file *stmf, void __user *arg)
if (!id)
return -ENOMEM;

- if (copy_from_user(id, arg, size)) {
+ if (copy_from_user(id + sizeof(size),
+ arg + sizeof(size), size - sizeof(size))) {
ret = -EFAULT;
goto err_free;
}
--
2.17.2 (Apple Git-113)

Next message: Kangjie Lu: "[PATCH] scsi: avoid a double-fetch and a redundant copy"
Previous message: Kangjie Lu: "[PATCH] wmi: avoid a double-fetch issue in wmi_ioctl"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]