[CHECKER][PATCH] awe_wave.c user pointer dereference

Hollis Blanchard (hollisb@us.ibm.com)
Thu, 5 Jun 2003 16:34:01 -0500


This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_courier-7797-1054848962-0001-2
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Two ioctl functions in sound/oss/awe_wave.c were directly dereferencing
a user-supplied pointer in a few places. Please apply.

-- 
Hollis Blanchard
IBM Linux Technology Center

--=_courier-7797-1054848962-0001-2 Content-Type: text/plain; x-unix-mode=0644; name="awe-userptr.txt"; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=awe-userptr.txt

===== sound/oss/awe_wave.c 1.12 vs edited ===== --- 1.12/sound/oss/awe_wave.c Thu Apr 3 16:35:48 2003 +++ edited/sound/oss/awe_wave.c Thu Jun 5 16:16:53 2003 @@ -2046,7 +2046,8 @@ awe_info.nr_voices = awe_max_voices; else awe_info.nr_voices = AWE_MAX_CHANNELS; - memcpy((char*)arg, &awe_info, sizeof(awe_info)); + if (copy_to_user((char*)arg, &awe_info, sizeof(awe_info))) + return -EFAULT; return 0; break; @@ -2063,10 +2064,12 @@ case SNDCTL_SYNTH_MEMAVL: return memsize - awe_free_mem_ptr() * 2; + break; default: printk(KERN_WARNING "AWE32: unsupported ioctl %d\n", cmd); return -EINVAL; + break; } } @@ -4314,7 +4317,8 @@ if (((cmd >> 8) & 0xff) != 'M') return -EINVAL; - level = *(int*)arg; + if (get_user(level, (int *)arg)) + return -EFAULT; level = ((level & 0xff) + (level >> 8)) / 2; DEBUG(0,printk("AWEMix: cmd=%x val=%d\n", cmd & 0xff, level)); @@ -4370,7 +4374,9 @@ level = 0; break; } - return *(int*)arg = level; + if (put_user(level, (int *)arg)) + return -EFAULT; + return level; } #endif /* CONFIG_AWE32_MIXER */

--=_courier-7797-1054848962-0001-2--