From: Alexander Usyskin <alexander.usyskin@intel.com>
Date: Sun, 17 Jan 2016 10:25:01 +0000 (+0200)
Subject: mei: validate request value in client notify request ioctl
X-Git-Tag: firefly_0821_release~176^2~475^2~304
X-Git-Url: http://plrg.eecs.uci.edu/git/?a=commitdiff_plain;h=a007fc3d6569b620ec5bca1b4636d952ebdd2627;p=firefly-linux-kernel-4.4.55.git

mei: validate request value in client notify request ioctl

commit 7326fffb712f09a315bc73cc1ee63843f59b8bd4 upstream.

This patch address a possible security issue:

The request field in client notify request ioctl comes from user space
as u32 and is downcasted to u8 with out validation.
Check request field to have approved values
MEI_HBM_NOTIFICATION_STAR/STOP

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
index 677d0362f334..80f9afcb1382 100644
--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -458,7 +458,11 @@ static int mei_ioctl_client_notify_request(struct file *file, u32 request)
 {
 	struct mei_cl *cl = file->private_data;
 
-	return mei_cl_notify_request(cl, file, request);
+	if (request != MEI_HBM_NOTIFICATION_START &&
+	    request != MEI_HBM_NOTIFICATION_STOP)
+		return -EINVAL;
+
+	return mei_cl_notify_request(cl, file, (u8)request);
 }
 
 /**