Module: xenomai-3
Branch: stable-3.0.x
Commit: e6ce13339b1a52a51dd63c99c0d86b286649c60c
URL:    
http://git.xenomai.org/?p=xenomai-3.git;a=commit;h=e6ce13339b1a52a51dd63c99c0d86b286649c60c

Author: Philippe Gerum <r...@xenomai.org>
Date:   Wed Apr 26 18:34:34 2017 +0200

cobalt/rtdm: fix spurious dereference of user memory

---

 kernel/cobalt/rtdm/drvlib.c   |    2 +-
 kernel/cobalt/rtdm/fd.c       |    6 +++++-
 kernel/cobalt/rtdm/internal.h |    2 +-
 3 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/kernel/cobalt/rtdm/drvlib.c b/kernel/cobalt/rtdm/drvlib.c
index 1a79121..fb7bd7e 100644
--- a/kernel/cobalt/rtdm/drvlib.c
+++ b/kernel/cobalt/rtdm/drvlib.c
@@ -1837,7 +1837,7 @@ static struct file_operations driver_mmap_fops = {
 };
 
 int __rtdm_mmap_from_fdop(struct rtdm_fd *fd, size_t len, off_t offset,
-                         int prot, int flags, void *__user *pptr)
+                         int prot, int flags, void **pptr)
 {
        struct mmap_tramp_data tramp_data = {
                .fd = fd,
diff --git a/kernel/cobalt/rtdm/fd.c b/kernel/cobalt/rtdm/fd.c
index 4169e85..4b788c5 100644
--- a/kernel/cobalt/rtdm/fd.c
+++ b/kernel/cobalt/rtdm/fd.c
@@ -659,6 +659,7 @@ int rtdm_fd_mmap(int ufd, struct _rtdm_mmap_request *rma,
                 void * __user *u_addrp)
 {
        struct rtdm_fd *fd;
+       void *addr;
        int ret;
 
        secondary_mode_only();
@@ -679,7 +680,10 @@ int rtdm_fd_mmap(int ufd, struct _rtdm_mmap_request *rma,
        }
 
        ret = __rtdm_mmap_from_fdop(fd, rma->length, rma->offset,
-                                   rma->prot, rma->flags, u_addrp);
+                                   rma->prot, rma->flags, &addr);
+       if (ret == 0)
+               ret = rtdm_safe_copy_to_user(fd, u_addrp,
+                                            &addr,  sizeof(addr));
 unlock:
        rtdm_fd_put(fd);
 out:
diff --git a/kernel/cobalt/rtdm/internal.h b/kernel/cobalt/rtdm/internal.h
index 2d64c6a..b634bd9 100644
--- a/kernel/cobalt/rtdm/internal.h
+++ b/kernel/cobalt/rtdm/internal.h
@@ -47,7 +47,7 @@ int __rtdm_dev_ioctl_core(struct rtdm_fd *fd,
                          unsigned int request, void __user *arg);
 
 int __rtdm_mmap_from_fdop(struct rtdm_fd *fd, size_t len, off_t offset,
-                         int prot, int flags, void *__user *pptr);
+                         int prot, int flags, void **pptr);
 
 int rtdm_init(void);
 


_______________________________________________
Xenomai-git mailing list
Xenomai-git@xenomai.org
https://xenomai.org/mailman/listinfo/xenomai-git

Reply via email to