USB: gadget: mbim: Avoid copying uninitialized data to userspace

A race condition bug in function 'mbim_bind_config' allows to change 'mbim->xport' type to invalid value. This allows mbim_ioctl() to copy the uninitialized data to userspace. Fix this by avoiding copy_to_user() call when transport type is invalid. Change-Id: If8e8b6d4e2c347e1aff529bed0a798128eaea07c CRs-Fixed: 1102418 Signed-off-by: Arumuga Durai A <cadurai@codeaurora.org>
author: Arumuga Durai A <cadurai@codeaurora.org> 2016-12-27 19:50:06 +0530
committer: Arumuga Durai A <cadurai@codeaurora.org> 2017-01-10 19:59:27 +0530
commit: 489ce6427ffe58b75f61f2fad55d4ad937e567c1 (patch)
tree: 04d213c3d440f814ed6561f12a1123aad40f5df3
parent: a6d83d2e8ed916c5a097c7c047dc39cb9183b0e9 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/usb/gadget/function/f_mbim.c b/drivers/usb/gadget/function/f_mbim.c
index ad66ec0d1492..5052f936e86c 100644
--- a/drivers/usb/gadget/function/f_mbim.c
+++ b/drivers/usb/gadget/function/f_mbim.c
@@ -2027,7 +2027,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
 		default:
 			ret = -ENODEV;
 			pr_err("unknown transport\n");
-			break;
+			goto fail;
 		}
 
 		ret = copy_to_user((void __user *)arg, &info,
@@ -2043,6 +2043,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
 		ret = -EINVAL;
 	}
 
+fail:
 	mbim_unlock(&mbim->ioctl_excl);
 
 	return ret;
author	Arumuga Durai A <cadurai@codeaurora.org>	2016-12-27 19:50:06 +0530
committer	Arumuga Durai A <cadurai@codeaurora.org>	2017-01-10 19:59:27 +0530
commit	489ce6427ffe58b75f61f2fad55d4ad937e567c1 (patch)
tree	04d213c3d440f814ed6561f12a1123aad40f5df3
parent	a6d83d2e8ed916c5a097c7c047dc39cb9183b0e9 (diff)