From CodeforEvolution <secundaja@xxxxxxxxx>:
CodeforEvolution has uploaded this change for review. (
https://review.haiku-os.org/c/haiku/+/2783 ;)
Change subject: wacom: SMAP Fixes
......................................................................
wacom: SMAP Fixes
Utilize user_memcpy and IS_USER_ADDRESS when necessary to prevent SMAP
violations
Should fix #14589
Change-Id: Ie2784020b21523f82fd450a2db2de60ccf9d6620
---
M src/add-ons/kernel/drivers/input/wacom/Jamfile
M src/add-ons/kernel/drivers/input/wacom/wacom.c
2 files changed, 30 insertions(+), 10 deletions(-)
git pull ssh://git.haiku-os.org:22/haiku refs/changes/83/2783/1
diff --git a/src/add-ons/kernel/drivers/input/wacom/Jamfile
b/src/add-ons/kernel/drivers/input/wacom/Jamfile
index 585ab2b..ca46565 100644
--- a/src/add-ons/kernel/drivers/input/wacom/Jamfile
+++ b/src/add-ons/kernel/drivers/input/wacom/Jamfile
@@ -1,6 +1,7 @@
SubDir HAIKU_TOP src add-ons kernel drivers input wacom ;
SubDirSysHdrs $(HAIKU_TOP) headers os drivers ;
+UsePrivateKernelHeaders ;
KernelAddon wacom :
wacom.c
diff --git a/src/add-ons/kernel/drivers/input/wacom/wacom.c
b/src/add-ons/kernel/drivers/input/wacom/wacom.c
index f2bacc9..395c330 100644
--- a/src/add-ons/kernel/drivers/input/wacom/wacom.c
+++ b/src/add-ons/kernel/drivers/input/wacom/wacom.c
@@ -18,6 +18,8 @@
#include <OS.h>
#include <USB3.h>
+#include <kernel.h>
+
int32 api_version = B_CUR_DRIVER_API_VERSION;
#define DEBUG_DRIVER 0
@@ -502,15 +504,29 @@
}
// read_header
-static void
+static status_t
read_header(const wacom_device* device, void* buffer)
{
uint16* ids = (uint16*)buffer;
uint32* size = (uint32*)buffer;
- ids[0] = device->vendor;
- ids[1] = device->product;
- size[1] = device->max_packet_size;
+ uint16* destVendor = &ids[0];
+ uint16* destProduct = &ids[1];
+ uint32* destMaxProductSize = &size[1];
+
+ if (!IS_USER_ADDRESS(buffer)) {
+ memcpy(destVendor, &device->vendor, sizeof(uint16));
+ memcpy(destProduct, &device->product, sizeof(uint16));
+ memcpy(destMaxProductSize, &device->max_packet_size,
sizeof(uint32));
+ return B_OK;
+ }
+
+ if (user_memcpy(destVendor, &device->vendor, sizeof(uint16)) == B_OK
+ && user_memcpy(destProduct, &device->product, sizeof(uint16))
== B_OK
+ && user_memcpy(destMaxProductSize, &device->max_packet_size,
sizeof(uint32)) == B_OK)
+ return B_OK;
+
+ return B_BAD_ADDRESS;
}
// device_read
@@ -558,8 +574,7 @@
"B_TIMED_OUT\n",
cookie, kBasePublishPath,
device->number));
*count = 8;
- read_header(device, buffer);
- ret = B_OK;
+ ret = read_header(device,
buffer);
} else {
// any other error trying to
acquire the semaphore
*count = 0;
@@ -570,8 +585,13 @@
// copy the data from the buffer
dataLength =
min_c(device->length, *count - 8);
*count = dataLength + 8;
- read_header(device, buffer);
- memcpy(buffer + 8,
device->data, dataLength);
+ ret = read_header(device,
buffer);
+ if (ret == B_OK) {
+ if
(IS_USER_ADDRESS(buffer))
+ ret =
user_memcpy(buffer + 8, device->data, dataLength);
+ else
+ memcpy(buffer +
8, device->data, dataLength);
+ }
} else {
// an error happened during the
interrupt transfer
*count = 0;
@@ -587,8 +607,7 @@
device->number, ret);
}
} else if (*count == 8) {
- read_header(device, buffer);
- ret = B_OK;
+ ret = read_header(device, buffer);
} else {
dprintf(ID "device_read(%p) name = \"%s%d\" -> buffer
size must be "
"at least 8 bytes!\n", cookie, kBasePublishPath,
--
To view, visit https://review.haiku-os.org/c/haiku/+/2783
To unsubscribe, or for help writing mail filters, visit
https://review.haiku-os.org/settings
Gerrit-Project: haiku
Gerrit-Branch: master
Gerrit-Change-Id: Ie2784020b21523f82fd450a2db2de60ccf9d6620
Gerrit-Change-Number: 2783
Gerrit-PatchSet: 1
Gerrit-Owner: CodeforEvolution <secundaja@xxxxxxxxx>
Gerrit-MessageType: newchange
