[MTD] mtdchar.c: Fix regression in MEMGETREGIONINFO ioctl()

The MEMGETREGIONINFO ioctl() in mtdchar.c was clobbering user memory by overwriting more than intended, due the size of struct mtd_erase_region_info changing in commit 0ecbc81 ('Support for auto locking flash on power up'). Fix avoids this by copying struct members one by one with put_user(), as there is no longer a convenient struct to use the size of as the length argument to copy_to_user(). Signed-off-by: Zev Weiss <zevweiss@gmail.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
git-mirror · Sep 2, 2008 · b67c5f8 · b67c5f8
1 parent 02c0267
commit b67c5f8
Showing 1 changed file with 10 additions and 6 deletions.
diff --git a/drivers/mtd/mtdchar.c b/drivers/mtd/mtdchar.c
@@ -410,16 +410,20 @@ static int mtd_ioctl(struct inode *inode, struct file *file,
 
 	case MEMGETREGIONINFO:
 	{
-		struct region_info_user ur;
+		uint32_t ur_idx;
+		struct mtd_erase_region_info *kr;
+		struct region_info_user *ur = (struct region_info_user *) argp;
 
-		if (copy_from_user(&ur, argp, sizeof(struct region_info_user)))
+		if (get_user(ur_idx, &(ur->regionindex)))
 			return -EFAULT;
 
-		if (ur.regionindex >= mtd->numeraseregions)
-			return -EINVAL;
-		if (copy_to_user(argp, &(mtd->eraseregions[ur.regionindex]),
-				sizeof(struct mtd_erase_region_info)))
+		kr = &(mtd->eraseregions[ur_idx]);
+
+		if (put_user(kr->offset, &(ur->offset))
+		    || put_user(kr->erasesize, &(ur->erasesize))
+		    || put_user(kr->numblocks, &(ur->numblocks)))
 			return -EFAULT;
+
 		break;
 	}