| From 1f1cc4566bd9dd8d3cf19965a4b6392143618536 Mon Sep 17 00:00:00 2001 |
| From: Lars-Peter Clausen <lars@metafoo.de> |
| Date: Tue, 18 Oct 2016 16:53:59 +0200 |
| Subject: gpio: GPIO_GET_CHIPINFO_IOCTL: Fix line offset validation |
| |
| From: Lars-Peter Clausen <lars@metafoo.de> |
| |
| commit 1f1cc4566bd9dd8d3cf19965a4b6392143618536 upstream. |
| |
| The current line offset validation is off by one. Depending on the data |
| stored behind the descs array this can either cause undefined behavior or |
| disclose arbitrary, potentially sensitive, memory to the issuing userspace |
| application. |
| |
| Make sure that offset is within the bounds of the desc array. |
| |
| Fixes: 521a2ad6f862 ("gpio: add userspace ABI for GPIO line information") |
| Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> |
| Signed-off-by: Linus Walleij <linus.walleij@linaro.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/gpio/gpiolib.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/drivers/gpio/gpiolib.c |
| +++ b/drivers/gpio/gpiolib.c |
| @@ -837,7 +837,7 @@ static long gpio_ioctl(struct file *filp |
| |
| if (copy_from_user(&lineinfo, ip, sizeof(lineinfo))) |
| return -EFAULT; |
| - if (lineinfo.line_offset > gdev->ngpio) |
| + if (lineinfo.line_offset >= gdev->ngpio) |
| return -EINVAL; |
| |
| desc = &gdev->descs[lineinfo.line_offset]; |
