From 333719a83d9b0e53cd291fc5fcd18227d997dc4f Mon Sep 17 00:00:00 2001
From: Sivacharan Paka <sipaka@codeaurora.org>
Date: Tue, 2 May 2017 12:44:32 +0530
Subject: [PATCH] radio-iris: Use copy_from_user API to access userspace memory

Directly accessing userspace memory pointer in kernel space without
checking validity of pointer. This can lead to security vulnerability.
Use copy_from_user API's to make sure there is no illegal memory access.

Bug: 36386593
Change-Id: I66a0b1931814ee19634a30dee02a5600066aa70b
Signed-off-by: Kamal Negi <kamaln@codeaurora.org>
---
 drivers/media/radio/radio-iris.c | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/drivers/media/radio/radio-iris.c b/drivers/media/radio/radio-iris.c
index 46898eb666aa..50891e07011f 100644
--- a/drivers/media/radio/radio-iris.c
+++ b/drivers/media/radio/radio-iris.c
@@ -3667,6 +3667,7 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
 	struct hci_fm_set_cal_req_proc proc_cal_req;
 	struct hci_fm_set_spur_table_req spur_tbl_req;
 	char *spur_data;
+	char tmp_buf[2];
 
 	struct iris_device *radio = video_get_drvdata(video_devdata(file));
 	char *data = NULL;
@@ -3805,9 +3806,18 @@ static int iris_vidioc_s_ext_ctrls(struct file *file, void *priv,
 	case V4L2_CID_PRIVATE_IRIS_SET_SPURTABLE:
 		memset(&spur_tbl_req, 0, sizeof(spur_tbl_req));
 		data = (ctrl->controls[0]).string;
-		bytes_to_copy = (ctrl->controls[0]).size;
-		spur_tbl_req.mode = data[0];
-		spur_tbl_req.no_of_freqs_entries = data[1];
+		if (copy_from_user(&bytes_to_copy, &((ctrl->controls[0]).size),
+					sizeof(bytes_to_copy))) {
+			retval = -EFAULT;
+			goto END;
+		}
+		if (copy_from_user(&tmp_buf[0], &data[0],
+					sizeof(tmp_buf))) {
+			retval = -EFAULT;
+			goto END;
+		}
+		spur_tbl_req.mode = tmp_buf[0];
+		spur_tbl_req.no_of_freqs_entries = tmp_buf[1];
 
 		if (((spur_tbl_req.no_of_freqs_entries * SPUR_DATA_LEN) !=
 					bytes_to_copy - 2) ||
-- 
GitLab