From: Felipe W Damasio <felipewd@terra.com.br>
Check the return of copy_from_user in a few places to not use buggy
structures if copy_from_user != 0. Found by smatch.
drivers/cdrom/sjcd.c | 22 +++++++++++++---------
1 files changed, 13 insertions(+), 9 deletions(-)
diff -puN drivers/cdrom/sjcd.c~sjcd-usercopy-checks drivers/cdrom/sjcd.c
--- 25/drivers/cdrom/sjcd.c~sjcd-usercopy-checks 2003-10-12 17:20:10.000000000 -0700
+++ 25-akpm/drivers/cdrom/sjcd.c 2003-10-12 17:20:10.000000000 -0700
@@ -839,8 +839,9 @@ static int sjcd_ioctl(struct block_devic
CDROM_AUDIO_NO_STATUS;
}
- copy_from_user(&sjcd_msf, (void *) arg,
- sizeof(sjcd_msf));
+ if (copy_from_user(&sjcd_msf, (void *) arg,
+ sizeof(sjcd_msf)))
+ return (-EFAULT);
sjcd_playing.start.min =
bin2bcd(sjcd_msf.cdmsf_min0);
@@ -890,9 +891,9 @@ static int sjcd_ioctl(struct block_devic
sizeof(toc_entry))) == 0) {
struct sjcd_hw_disk_info *tp;
- copy_from_user(&toc_entry, (void *) arg,
- sizeof(toc_entry));
-
+ if (copy_from_user(&toc_entry, (void *) arg,
+ sizeof(toc_entry)))
+ return (-EFAULT);
if (toc_entry.cdte_track == CDROM_LEADOUT)
tp = &sjcd_table_of_contents[0];
else if (toc_entry.cdte_track <
@@ -945,8 +946,10 @@ static int sjcd_ioctl(struct block_devic
sizeof(subchnl))) == 0) {
struct sjcd_hw_qinfo q_info;
- copy_from_user(&subchnl, (void *) arg,
- sizeof(subchnl));
+ if (copy_from_user(&subchnl, (void *) arg,
+ sizeof(subchnl)))
+ return (-EFAULT);
+
if (sjcd_get_q_info(&q_info) < 0)
return (-EIO);
@@ -1002,8 +1005,9 @@ static int sjcd_ioctl(struct block_devic
sizeof(vol_ctrl))) == 0) {
unsigned char dummy[4];
- copy_from_user(&vol_ctrl, (void *) arg,
- sizeof(vol_ctrl));
+ if (copy_from_user(&vol_ctrl, (void *) arg,
+ sizeof(vol_ctrl)))
+ return (-EFAULT);
sjcd_send_4_cmd(SCMD_SET_VOLUME,
vol_ctrl.channel0, 0xFF,
vol_ctrl.channel1, 0xFF);
_