tty: rocket: Remove RCPK_GET_STRUCT ioctl

If the cmd is RCPK_GET_STRUCT, copy_to_user will copy
info to user space. As info->port.ops is the address of
a constant object rocket_port_ops (assigned in init_r_port),
a kernel address leakage happens.

Remove the RCPK_GET_STRUCT ioctl.

Signed-off-by: Fuqian Huang <huangfq.daxian@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
index b121d8f8f3d7d1a9d1dfc4341d61d51a5253a3f1..b6543e28bd8b4fca354d5bdc5aaa0dd0a10e8f14 100644 (file)
--- a/drivers/tty/rocket.c
+++ b/drivers/tty/rocket.c
@@ -1283,10 +1283,6 @@ static int rp_ioctl(struct tty_struct *tty,
                return -ENXIO;
 
        switch (cmd) {
-       case RCKP_GET_STRUCT:
-               if (copy_to_user(argp, info, sizeof (struct r_port)))
-                       ret = -EFAULT;
-               break;
        case RCKP_GET_CONFIG:
                ret = get_config(info, argp);
                break;

diff --git a/drivers/tty/rocket.h b/drivers/tty/rocket.h
index d0560203f2157cc21af1ca3c0f1d8341d85e5f36..d62ed6587f32ec62d98d77574053ca2c1a1af3cc 100644 (file)
--- a/drivers/tty/rocket.h
+++ b/drivers/tty/rocket.h
@@ -71,7 +71,6 @@ struct rocket_version {
 /*
  * Rocketport ioctls -- "RP"
  */
-#define RCKP_GET_STRUCT                0x00525001
 #define RCKP_GET_CONFIG                0x00525002
 #define RCKP_SET_CONFIG                0x00525003
 #define RCKP_GET_PORTS         0x00525004