提交 7326fffb 编写于 作者: A Alexander Usyskin 提交者: Greg Kroah-Hartman

mei: validate request value in client notify request ioctl

This patch address a possible security issue:

The request field in client notify request ioctl comes from user space
as u32 and is downcasted to u8 with out validation.
Check request field to have approved values
MEI_HBM_NOTIFICATION_STAR/STOP

Cc: <stable@vger.kernel.org> #4.3+
Signed-off-by: NAlexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: NTomas Winkler <tomas.winkler@intel.com>
Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
上级 92e963f5
......@@ -458,7 +458,11 @@ static int mei_ioctl_client_notify_request(struct file *file, u32 request)
{
struct mei_cl *cl = file->private_data;
return mei_cl_notify_request(cl, file, request);
if (request != MEI_HBM_NOTIFICATION_START &&
request != MEI_HBM_NOTIFICATION_STOP)
return -EINVAL;
return mei_cl_notify_request(cl, file, (u8)request);
}
/**
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册