floppy: ignore kernel-only members in FDRAWCMD ioctl input

Always clear out these floppy_raw_cmd struct members after copying the entire structure from userspace so that the in-kernel version is always valid and never left in an interdeterminate state. Signed-off-by: Matthew Daley <mattd@bugfuzz.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
torvalds · May 5, 2014 · ef87dbe · ef87dbe
1 parent 89ca3b8
commit ef87dbe
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c
@@ -3121,10 +3121,11 @@ static int raw_cmd_copyin(int cmd, void __user *param,
 		return -ENOMEM;
 	*rcmd = ptr;
 	ret = copy_from_user(ptr, param, sizeof(*ptr));
-	if (ret)
-		return -EFAULT;
 	ptr->next = NULL;
 	ptr->buffer_length = 0;
+	ptr->kernel_data = NULL;
+	if (ret)
+		return -EFAULT;
 	param += sizeof(struct floppy_raw_cmd);
 	if (ptr->cmd_count > 33)
 			/* the command may now also take up the space
@@ -3140,7 +3141,6 @@ static int raw_cmd_copyin(int cmd, void __user *param,
 	for (i = 0; i < 16; i++)
 		ptr->reply[i] = 0;
 	ptr->resultcode = 0;
-	ptr->kernel_data = NULL;
 
 	if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
 		if (ptr->length <= 0)