In openprom_ioctl() ensure appropriate permissions and that data isn't

NULL and doesn't point to a NULL pointer before dereferencing it. This
fixes a panic triggered by Xorg 7.3.

Reported and tested by:	Bill Green
MFC after:		3 days

1 files changed, 9 insertions, 1 deletions

diff --git a/sys/dev/ofw/openpromio.c b/sys/dev/ofw/openpromio.c
index ca6aba7..cb7343f 100644
--- a/sys/dev/ofw/openpromio.c
+++ b/sys/dev/ofw/openpromio.c
@@ -101,12 +101,17 @@ openprom_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flags,
 	char *buf;
 	int error;
 
+	if ((flags & FREAD) == 0)
+		return (EPERM);
+
 	prop = buf = NULL;
 	error = 0;
-	oprom = *(void **)data;
 	switch (cmd) {
 	case OPROMCHILD:
 	case OPROMNEXT:
+		if (data == NULL || *(void **)data == NULL)
+			return (EINVAL);
+		oprom = *(void **)data;
 		error = copyin(&oprom->oprom_size, &len, sizeof(len));
 		if (error != 0)
 			break;
@@ -135,6 +140,9 @@ openprom_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flags,
 		break;
 	case OPROMGETPROP:
 	case OPROMNXTPROP:
+		if (data == NULL || *(void **)data == NULL)
+			return (EINVAL);
+		oprom = *(void **)data;
 		error = copyin(&oprom->oprom_size, &len, sizeof(len));
 		if (error != 0)
 			break;