Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

mei: validate request value in client notify request ioctl

This patch address a possible security issue:

The request field in client notify request ioctl comes from user space
as u32 and is downcasted to u8 with out validation.
Check request field to have approved values
MEI_HBM_NOTIFICATION_STAR/STOP

Cc: <stable@vger.kernel.org> #4.3+
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alexander Usyskin 9 years ago
parent
92e963f50f
commit
7326fffb71
1 changed files with 5 additions and 1 deletions
Split View Show Diff Stats
  1. 5 1
      drivers/misc/mei/main.c

+ 5 - 1
drivers/misc/mei/main.c
View File 

@@ -458,7 +458,11 @@ static int mei_ioctl_client_notify_request(struct file *file, u32 request)
 
 {
 
 	struct mei_cl *cl = file->private_data;
 
 
-	return mei_cl_notify_request(cl, file, request);
 
+	if (request != MEI_HBM_NOTIFICATION_START &&
 
+	    request != MEI_HBM_NOTIFICATION_STOP)
 
+		return -EINVAL;
 
+
 
+	return mei_cl_notify_request(cl, file, (u8)request);
 
 }
 
 
 /**