[haiku-commits] Change in haiku[master]: wacom: SMAP Fixes

  • From: Gerrit <review@xxxxxxxxxxxxxxxxxxx>
  • To: waddlesplash <waddlesplash@xxxxxxxxx>, haiku-commits@xxxxxxxxxxxxx
  • Date: Sat, 23 May 2020 03:43:34 +0000

From CodeforEvolution <secundaja@xxxxxxxxx>:

CodeforEvolution has uploaded this change for review. ( 
https://review.haiku-os.org/c/haiku/+/2783 ;)


Change subject: wacom: SMAP Fixes
......................................................................

wacom: SMAP Fixes

Utilize user_memcpy and IS_USER_ADDRESS when necessary to prevent SMAP 
violations

Should fix #14589

Change-Id: Ie2784020b21523f82fd450a2db2de60ccf9d6620
---
M src/add-ons/kernel/drivers/input/wacom/Jamfile
M src/add-ons/kernel/drivers/input/wacom/wacom.c
2 files changed, 30 insertions(+), 10 deletions(-)



  git pull ssh://git.haiku-os.org:22/haiku refs/changes/83/2783/1

diff --git a/src/add-ons/kernel/drivers/input/wacom/Jamfile 
b/src/add-ons/kernel/drivers/input/wacom/Jamfile
index 585ab2b..ca46565 100644
--- a/src/add-ons/kernel/drivers/input/wacom/Jamfile
+++ b/src/add-ons/kernel/drivers/input/wacom/Jamfile
@@ -1,6 +1,7 @@
 SubDir HAIKU_TOP src add-ons kernel drivers input wacom ;

 SubDirSysHdrs $(HAIKU_TOP) headers os drivers ;
+UsePrivateKernelHeaders ;

 KernelAddon wacom :
        wacom.c
diff --git a/src/add-ons/kernel/drivers/input/wacom/wacom.c 
b/src/add-ons/kernel/drivers/input/wacom/wacom.c
index f2bacc9..395c330 100644
--- a/src/add-ons/kernel/drivers/input/wacom/wacom.c
+++ b/src/add-ons/kernel/drivers/input/wacom/wacom.c
@@ -18,6 +18,8 @@
 #include <OS.h>
 #include <USB3.h>

+#include <kernel.h>
+
 int32 api_version = B_CUR_DRIVER_API_VERSION;

 #define DEBUG_DRIVER 0
@@ -502,15 +504,29 @@
 }

 // read_header
-static void
+static status_t
 read_header(const wacom_device* device, void* buffer)
 {
        uint16* ids = (uint16*)buffer;
        uint32* size = (uint32*)buffer;

-       ids[0] = device->vendor;
-       ids[1] = device->product;
-       size[1] = device->max_packet_size;
+       uint16* destVendor = &ids[0];
+       uint16* destProduct = &ids[1];
+       uint32* destMaxProductSize = &size[1];
+
+       if (!IS_USER_ADDRESS(buffer)) {
+               memcpy(destVendor, &device->vendor, sizeof(uint16));
+               memcpy(destProduct, &device->product, sizeof(uint16));
+               memcpy(destMaxProductSize, &device->max_packet_size, 
sizeof(uint32));
+               return B_OK;
+       }
+
+       if (user_memcpy(destVendor, &device->vendor, sizeof(uint16)) == B_OK
+               && user_memcpy(destProduct, &device->product, sizeof(uint16)) 
== B_OK
+               && user_memcpy(destMaxProductSize, &device->max_packet_size, 
sizeof(uint32)) == B_OK)
+               return B_OK;
+
+       return B_BAD_ADDRESS;
 }

 // device_read
@@ -558,8 +574,7 @@
                                                        "B_TIMED_OUT\n", 
cookie, kBasePublishPath,
                                                        device->number));
                                                *count = 8;
-                                               read_header(device, buffer);
-                                               ret = B_OK;
+                                               ret = read_header(device, 
buffer);
                                        } else {
                                                // any other error trying to 
acquire the semaphore
                                                *count = 0;
@@ -570,8 +585,13 @@
                                                // copy the data from the buffer
                                                dataLength = 
min_c(device->length, *count - 8);
                                                *count = dataLength + 8;
-                                               read_header(device, buffer);
-                                               memcpy(buffer + 8, 
device->data, dataLength);
+                                               ret = read_header(device, 
buffer);
+                                               if (ret == B_OK) {
+                                                       if 
(IS_USER_ADDRESS(buffer))
+                                                               ret = 
user_memcpy(buffer + 8, device->data, dataLength);
+                                                       else
+                                                               memcpy(buffer + 
8, device->data, dataLength);
+                                               }
                                        } else {
                                                // an error happened during the 
interrupt transfer
                                                *count = 0;
@@ -587,8 +607,7 @@
                                        device->number, ret);
                        }
                } else if (*count == 8) {
-                       read_header(device, buffer);
-                       ret = B_OK;
+                       ret = read_header(device, buffer);
                } else {
                        dprintf(ID "device_read(%p) name = \"%s%d\" -> buffer 
size must be "
                                "at least 8 bytes!\n", cookie, kBasePublishPath,

--
To view, visit https://review.haiku-os.org/c/haiku/+/2783
To unsubscribe, or for help writing mail filters, visit 
https://review.haiku-os.org/settings

Gerrit-Project: haiku
Gerrit-Branch: master
Gerrit-Change-Id: Ie2784020b21523f82fd450a2db2de60ccf9d6620
Gerrit-Change-Number: 2783
Gerrit-PatchSet: 1
Gerrit-Owner: CodeforEvolution <secundaja@xxxxxxxxx>
Gerrit-MessageType: newchange

Other related posts:

  • » [haiku-commits] Change in haiku[master]: wacom: SMAP Fixes - Gerrit