summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlexander Usyskin <alexander.usyskin@intel.com>2016-01-17 12:25:01 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2016-02-06 22:12:56 -0800
commit7326fffb712f09a315bc73cc1ee63843f59b8bd4 (patch)
tree5f542b8e6172be47df34e28ab2b18c61064b4971
parent92e963f50fc74041b5e9e744c330dca48e04f08d (diff)
mei: validate request value in client notify request ioctl
This patch address a possible security issue: The request field in client notify request ioctl comes from user space as u32 and is downcasted to u8 with out validation. Check request field to have approved values MEI_HBM_NOTIFICATION_STAR/STOP Cc: <stable@vger.kernel.org> #4.3+ Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-rw-r--r--drivers/misc/mei/main.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
index 677d0362f334..80f9afcb1382 100644
--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -458,7 +458,11 @@ static int mei_ioctl_client_notify_request(struct file *file, u32 request)
{
struct mei_cl *cl = file->private_data;
- return mei_cl_notify_request(cl, file, request);
+ if (request != MEI_HBM_NOTIFICATION_START &&
+ request != MEI_HBM_NOTIFICATION_STOP)
+ return -EINVAL;
+
+ return mei_cl_notify_request(cl, file, (u8)request);
}
/**