[PATCH] tty/vt: set_get_cmap() check user buffer
From: Michael Gehring
Date: Mon Mar 19 2012 - 19:41:46 EST
set_get_cmap() ignores the result of {get,put}_user(), causing ioctl(vt,
{G,P}IO_CMAP, 0xdeadbeef) to silently fail.
Another side effect of this: calling the PIO_CMAP ioctl with an invalid
buffer will zero the default colormap and the palette for all vts (all
colors set to black).
Use access_ok() and return -EFAULT when appropriate.
Signed-off-by: Michael Gehring <mg@xxxxxxxx>
---
drivers/tty/vt/vt.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index e716839..176b2a1 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3897,15 +3897,18 @@ static int set_get_cmap(unsigned char __user *arg, int set)
WARN_CONSOLE_UNLOCKED();
+ if (!access_ok(set ? VERIFY_READ : VERIFY_WRITE, arg, 3 * 16))
+ return -EFAULT;
+
for (i = 0; i < 16; i++)
if (set) {
- get_user(default_red[i], arg++);
- get_user(default_grn[i], arg++);
- get_user(default_blu[i], arg++);
+ __get_user(default_red[i], arg++);
+ __get_user(default_grn[i], arg++);
+ __get_user(default_blu[i], arg++);
} else {
- put_user(default_red[i], arg++);
- put_user(default_grn[i], arg++);
- put_user(default_blu[i], arg++);
+ __put_user(default_red[i], arg++);
+ __put_user(default_grn[i], arg++);
+ __put_user(default_blu[i], arg++);
}
if (set) {
for (i = 0; i < MAX_NR_CONSOLES; i++)
--
1.7.9.4
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/