f_gsi: Use kernel buffer instead of user space provided buffer

gsi_ctrl_dev_write() and gsi_ctrl_dev_read() API is directly using user
space provided buffer when qti_packet_debug is enabled. This can result
into using untrusted buffer pointer. Hence use cpkt->buf i.e. kernel
space buffer pointer instead of directly using user space provided buffer.

CRs-Fixed: 2061391
Change-Id: Iba6f2845dae2755446b4b8e9f3041686877d7bc4
Signed-off-by: Mayank Rana <mrana@codeaurora.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/drivers/usb/gadget/function/f_gsi.c b/drivers/usb/gadget/function/f_gsi.c
index 7216fdd4245d..3f903d4776b4 100644
--- a/drivers/usb/gadget/function/f_gsi.c
+++ b/drivers/usb/gadget/function/f_gsi.c
@@ -1035,7 +1035,7 @@ gsi_ctrl_dev_read(struct file *fp, char __user *buf, size_t count, loff_t *pos)
 	log_event_dbg("%s: cpkt size:%d", __func__, cpkt->len);
 	if (qti_packet_debug)
 		print_hex_dump(KERN_DEBUG, "READ:", DUMP_PREFIX_OFFSET, 16, 1,
-			buf, min_t(int, 30, cpkt->len), false);
+			cpkt->buf, min_t(int, 30, cpkt->len), false);
 
 	ret = copy_to_user(buf, cpkt->buf, cpkt->len);
 	if (ret) {
@@ -1108,7 +1108,7 @@ static ssize_t gsi_ctrl_dev_write(struct file *fp, const char __user *buf,
 	c_port->copied_from_modem++;
 	if (qti_packet_debug)
 		print_hex_dump(KERN_DEBUG, "WRITE:", DUMP_PREFIX_OFFSET, 16, 1,
-			buf, min_t(int, 30, count), false);
+			cpkt->buf, min_t(int, 30, count), false);
 
 	spin_lock_irqsave(&c_port->lock, flags);
 	list_add_tail(&cpkt->list, &c_port->cpkt_resp_q);