All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Robert T. Johnson" <rtjohnso@eecs.berkeley.edu>
To: Markus.Lidel@shadowconnect.com
Cc: Linux Kernel <linux-kernel@vger.kernel.org>
Subject: PATCH: 2.6.7-rc3 drivers/message/i2o/i2o_config.c: user/kernel pointer bugs
Date: 09 Jun 2004 16:01:02 -0700	[thread overview]
Message-ID: <1086822062.32052.129.camel@dooby.cs.berkeley.edu> (raw)

Since arg is a user pointer, accessing values like cmd->iop requires an 
unsafe user pointer dereference.

QUESTION: Does ioctl_passthru mean arg is a kernel pointer?  If so, then
disregard this bug report.

Let me know if you have any questions, and thanks for looking into this.

Best,
Rob


--- linux-2.6.7-rc3-full/drivers/message/i2o/i2o_config.c.orig	Wed Jun  9 12:14:08 2004
+++ linux-2.6.7-rc3-full/drivers/message/i2o/i2o_config.c	Wed Jun  9 12:13:33 2004
@@ -842,10 +842,10 @@ static int ioctl_evt_get(unsigned long a
 
 static int ioctl_passthru(unsigned long arg)
 {
-	struct i2o_cmd_passthru *cmd = (struct i2o_cmd_passthru *) arg;
+	struct i2o_cmd_passthru cmd;
 	struct i2o_controller *c;
 	u32 msg[MSG_FRAME_SIZE];
-	u32 *user_msg = (u32*)cmd->msg;
+	u32 *user_msg;
 	u32 *reply = NULL;
 	u32 *user_reply = NULL;
 	u32 size = 0;
@@ -858,11 +858,16 @@ static int ioctl_passthru(unsigned long 
 	u32 i = 0;
 	ulong p = 0;
 
-	c = i2o_find_controller(cmd->iop);
+	if (copy_from_user(&cmd, (void *)arg, sizeof(cmd)))
+	  return -EFAULT;
+
+	user_msg = cmd.msg;
+
+	c = i2o_find_controller(cmd.iop);
 	if(!c)
                 return -ENXIO;
 
-	memset(&msg, 0, MSG_FRAME_SIZE*4);
+	memset(msg, 0, MSG_FRAME_SIZE*4);
 	if(get_user(size, &user_msg[0]))
 		return -EFAULT;
 	size = size>>16;
@@ -949,7 +954,7 @@ static int ioctl_passthru(unsigned long 
 		int sg_size;
 
 		// re-acquire the original message to handle correctly the sg copy operation
-		memset(&msg, 0, MSG_FRAME_SIZE*4);
+		memset(msg, 0, MSG_FRAME_SIZE*4);
 		// get user msg size in u32s
 		if (get_user(size, &user_msg[0])) {
 			rcode = -EFAULT;



             reply	other threads:[~2004-06-09 23:01 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-06-09 23:01 Robert T. Johnson [this message]
2004-06-10  1:37 ` PATCH: 2.6.7-rc3 drivers/message/i2o/i2o_config.c: user/kernel pointer bugs viro
2004-06-10  4:03   ` Robert T. Johnson
2004-06-11  6:24 ` Markus Lidel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1086822062.32052.129.camel@dooby.cs.berkeley.edu \
    --to=rtjohnso@eecs.berkeley.edu \
    --cc=Markus.Lidel@shadowconnect.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.