!11592 CVE-2024-36915 (88c4c0b9) · Commits · EulixOS / Software / Kernel

include/linux/sockptr.h

+25 −0

Original line number	Diff line number	Diff line
		@@ -50,11 +50,36 @@ static inline int copy_from_sockptr_offset(void *dst, sockptr_t src,
		return 0;
		}

		/* Deprecated.
		* This is unsafe, unless caller checked user provided optlen.
		* Prefer copy_safe_from_sockptr() instead.
		*/
		static inline int copy_from_sockptr(void *dst, sockptr_t src, size_t size)
		{
		return copy_from_sockptr_offset(dst, src, 0, size);
		}

		/**
		* copy_safe_from_sockptr: copy a struct from sockptr
		* @dst: Destination address, in kernel space. This buffer must be @ksize
		* bytes long.
		* @ksize: Size of @dst struct.
		* @optval: Source address. (in user or kernel space)
		* @optlen: Size of @optval data.
		*
		* Returns:
		* * -EINVAL: @optlen < @ksize
		* * -EFAULT: access to userspace failed.
		* * 0 : @ksize bytes were copied
		*/
		static inline int copy_safe_from_sockptr(void *dst, size_t ksize,
		sockptr_t optval, unsigned int optlen)
		{
		if (optlen < ksize)
		return -EINVAL;
		return copy_from_sockptr(dst, optval, ksize);
		}

		static inline int copy_to_sockptr_offset(sockptr_t dst, size_t offset,
		const void *src, size_t size)
		{

+6 −6

Original line number	Diff line number	Diff line
		@@ -247,10 +247,10 @@ static int nfc_llcp_setsockopt(struct socket *sock, int level, int optname,
		break;
		}

		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
		err = -EFAULT;
		err = copy_safe_from_sockptr(&opt, sizeof(opt),
		optval, optlen);
		if (err)
		break;
		}

		if (opt > LLCP_MAX_RW) {
		err = -EINVAL;
		@@ -269,10 +269,10 @@ static int nfc_llcp_setsockopt(struct socket *sock, int level, int optname,
		break;
		}

		if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
		err = -EFAULT;
		err = copy_safe_from_sockptr(&opt, sizeof(opt),
		optval, optlen);
		if (err)
		break;
		}

		if (opt > LLCP_MAX_MIUX) {
		err = -EINVAL;