git.baikalelectronics.ru Git - kernel.git/commit

author	Arnd Bergmann <arnd@arndb.de>
	Fri, 25 Sep 2020 11:43:32 +0000 (13:43 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 25 Sep 2020 12:34:03 +0000 (14:34 +0200)
commit	eb819d324f6e1b5781bdab64958cf2abd1de013c
tree	8492239c948634431ddaab8e609232b434b96089	tree \| snapshot
parent	e3e1d119147c1d89784b39768d5848dc93a3f397	commit \| diff

staging: vchiq: avoid mixing kernel and user pointers

As found earlier, there is a problem in the create_pagelist() function
that takes a pointer argument that either points into vmalloc space or
into user space, with the pointer value controlled by user space allowing
a malicious user to trick the driver into accessing the kernel instead.

Avoid this problem by adding another function argument and passing
kernel pointers separately from user pointers. This makes it possible
to rely on sparse to point out invalid conversions, and it prevents
user space from faking a kernel pointer.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20200925114424.2647144-2-arnd@arndb.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/staging/vc04_services/interface/vchiq_arm/vchiq_2835_arm.c		diff \| blob \| history
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c		diff \| blob \| history
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c		diff \| blob \| history
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.h		diff \| blob \| history