[PATCH] scsi_ioctl memcpy'ing user address

James reported a bug in scsi_ioctl.c where it mem copies a user pointer instead of using copy_from_user(). I inadvertently introduced this one when getting rid of CDROM_SEND_PACKET. Here's a trivial patch to fix it.

[PATCH] scsi_ioctl memcpy'ing user address
James reported a bug in scsi_ioctl.c where it mem copies a user pointer instead of using copy_from_user(). I inadvertently introduced this one when getting rid of CDROM_SEND_PACKET. Here's a trivial patch to fix it.
8cc86c08 · Jens Axboe · Linus Torvalds · 5dbe8bb5 · 8cc86c08
Commit 8cc86c08 authored Dec 08, 2003 by Jens Axboe Committed by Linus Torvalds Dec 08, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

drivers/block/scsi_ioctl.c drivers/block/scsi_ioctl.c +6 -1

No files found.
--- a/drivers/block/scsi_ioctl.c
+++ b/drivers/block/scsi_ioctl.c
@@ -216,7 +216,12 @@ static int sg_io(request_queue_t *q, struct block_device *bdev,
 	 * fill in request structure
 	 */
 	rq->cmd_len = hdr->cmd_len;
-	memcpy(rq->cmd, hdr->cmdp, hdr->cmd_len);
+
+	if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len)) {
+		blk_put_request(rq);
+		return -EFAULT;
+	}
+
 	if (sizeof(rq->cmd) != hdr->cmd_len)
 		memset(rq->cmd + hdr->cmd_len, 0, sizeof(rq->cmd) - hdr->cmd_len);