summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris Wilson <chris@chris-wilson.co.uk>2013-04-12 13:39:59 +0400
committerDave Airlie <airlied@redhat.com>2013-04-16 07:18:06 +0400
commite4fda9f264e154946c678ca7ff07023f573abf6a (patch)
tree41362cc50b110c7f3e45e4e3a7fdcdd93feee396
parentb6330548383cf18d608faf1c2dc0c81c60476233 (diff)
downloadlinux-e4fda9f264e154946c678ca7ff07023f573abf6a.tar.xz
drm: Perform ioctl command validation on the stored kernel values
Userspace is free to pass in any command bits it feels like through the ioctl cmd, and for example trinity likes to fuzz those bits to create conflicting commands. So instead of relying upon userspace to pass along the correct IN/OUT flags for the ioctl, use the flags as expected by the kernel. This does have a side-effect that NULL pointers can not be substituted by userspace in place of a struct. This feature was not being used by any driver, but instead exposed all of the command handlers to a user triggerable OOPS. Reported-by: Tommi Rantala <tt.rantala@gmail.com> Link: http://lkml.kernel.org/r/CA+ydwtpuBvbwxbt-tdgPUvj1EU7itmCHo_2B3w13HkD5+jWKow@mail.gmail.com Signed-off-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by: Dave Airlie <airlied@redhat.com>
-rw-r--r--drivers/gpu/drm/drm_drv.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index 25f91cd23e60..0ac1991a470a 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -408,6 +408,7 @@ long drm_ioctl(struct file *filp,
usize = asize = _IOC_SIZE(cmd);
if (drv_size > asize)
asize = drv_size;
+ cmd = ioctl->cmd_drv;
}
else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) {
ioctl = &drm_ioctls[nr];