Dan Carpenter 096cdc6f52 platform/chrome: cros_ec_dev - double fetch bug in ioctl ... We verify "u_cmd.outsize" and "u_cmd.insize" but we need to make sure that those values have not changed between the two copy_from_user() calls. Otherwise it could lead to a buffer overflow. Additionally, cros_ec_cmd_xfer() can set s_cmd->insize to a lower value. We should use the new smaller value so we don't copy too much data to the user. Reported-by: Pengfei Wang <wpengfeinudt@gmail.com> Fixes: a841178445 ('mfd: cros_ec: Use a zero-length array for command data') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Kees Cook <keescook@chromium.org> Tested-by: Gwendal Grignou <gwendal@chromium.org> Cc: <stable@vger.kernel.org> # v4.2+ Signed-off-by: Olof Johansson <olof@lixom.net>		2016-07-05 14:01:52 -07:00
..
chrome	platform/chrome: cros_ec_dev - double fetch bug in ioctl	2016-07-05 14:01:52 -07:00
goldfish	Convert straggling drivers to new six-argument get_user_pages()	2016-04-02 18:35:05 -05:00
mips	Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus	2016-05-19 10:02:26 -07:00
olpc	OLPC: Use %*ph specifier instead of passing direct values	2015-10-06 23:22:08 +01:00
x86	platform/x86: Drop duplicate dependencies on X86	2016-06-08 13:21:37 -07:00
Kconfig	goldfish: refactor goldfish platform configs	2016-01-28 23:34:36 -08:00
Makefile	MIPS: Loongson-3: Add CPU Hwmon platform driver	2015-04-01 17:22:17 +02:00