* [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU
@ 2005-11-18 16:41 mikem
2005-11-18 21:01 ` Jens Axboe
2005-11-18 21:05 ` Philippe Pegon
0 siblings, 2 replies; 4+ messages in thread
From: mikem @ 2005-11-18 16:41 UTC (permalink / raw)
To: akpm, axboe; +Cc: linux-kernel, linux-scsi
Patch 2 of 3
Applications using CCISS_BIG_PASSTHRU complained that the data written
was zeros. The code looked alright, but it seems that copy_from_user
already does a memset on the buffer. Removing it from the pass-through
fixes the apps.
Please consider this for inclusion.
Signed-off-by: Mike Miller <mike.miller@hp.com>
--------------------------------------------------------------------------------
drivers/block/cciss.c | 2 --
1 files changed, 2 deletions(-)
diff -puN drivers/block/cciss.c~cciss_memset drivers/block/cciss.c
--- linux-2.6.14.2/drivers/block/cciss.c~cciss_memset 2005-11-15 15:41:23.289070160 -0600
+++ linux-2.6.14.2-mikem/drivers/block/cciss.c 2005-11-15 15:42:28.264192440 -0600
@@ -1020,8 +1020,6 @@ static int cciss_ioctl(struct inode *ino
copy_from_user(buff[sg_used], data_ptr, sz)) {
status = -ENOMEM;
goto cleanup1;
- } else {
- memset(buff[sg_used], 0, sz);
}
left -= sz;
data_ptr += sz;
_
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU
2005-11-18 16:41 [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU mikem
@ 2005-11-18 21:01 ` Jens Axboe
2005-11-18 21:32 ` mikem
2005-11-18 21:05 ` Philippe Pegon
1 sibling, 1 reply; 4+ messages in thread
From: Jens Axboe @ 2005-11-18 21:01 UTC (permalink / raw)
To: mikem; +Cc: akpm, linux-kernel, linux-scsi
On Fri, Nov 18 2005, mikem wrote:
> Patch 2 of 3
>
> Applications using CCISS_BIG_PASSTHRU complained that the data written
> was zeros. The code looked alright, but it seems that copy_from_user
> already does a memset on the buffer. Removing it from the pass-through
> fixes the apps.
Hmm, I don't like this patch, since you never clear the buffer for reads
now. If the controller for some reason doesn't overwrite this buffer,
you could be leaking privileged data! Your bug is because you do:
if (write && copy_from_user(...))
fail
else
clear
so you end up in the clear case for any case where copy_from_user()
doesn't fail. I've fixed it up for you, this is what I committed:
diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index e239a6c..33f8341 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1017,10 +1017,11 @@ static int cciss_ioctl(struct inode *ino
status = -ENOMEM;
goto cleanup1;
}
- if (ioc->Request.Type.Direction == XFER_WRITE &&
- copy_from_user(buff[sg_used], data_ptr, sz)) {
+ if (ioc->Request.Type.Direction == XFER_WRITE) {
+ if (copy_from_user(buff[sg_used], data_ptr, sz)) {
status = -ENOMEM;
- goto cleanup1;
+ goto cleanup1;
+ }
} else {
memset(buff[sg_used], 0, sz);
}
--
Jens Axboe
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU
2005-11-18 16:41 [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU mikem
2005-11-18 21:01 ` Jens Axboe
@ 2005-11-18 21:05 ` Philippe Pegon
1 sibling, 0 replies; 4+ messages in thread
From: Philippe Pegon @ 2005-11-18 21:05 UTC (permalink / raw)
To: mikem; +Cc: akpm, axboe, linux-kernel, linux-scsi
mikem wrote:
> Patch 2 of 3
>
> Applications using CCISS_BIG_PASSTHRU complained that the data written
> was zeros. The code looked alright, but it seems that copy_from_user
> already does a memset on the buffer. Removing it from the pass-through
> fixes the apps.
>
> Please consider this for inclusion.
thanks a lot
--
Philippe Pegon
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU
2005-11-18 21:01 ` Jens Axboe
@ 2005-11-18 21:32 ` mikem
0 siblings, 0 replies; 4+ messages in thread
From: mikem @ 2005-11-18 21:32 UTC (permalink / raw)
To: Jens Axboe; +Cc: akpm, linux-kernel, linux-scsi
On Fri, Nov 18, 2005 at 10:01:24PM +0100, Jens Axboe wrote:
> On Fri, Nov 18 2005, mikem wrote:
> > Patch 2 of 3
> >
> > Applications using CCISS_BIG_PASSTHRU complained that the data written
> > was zeros. The code looked alright, but it seems that copy_from_user
> > already does a memset on the buffer. Removing it from the pass-through
> > fixes the apps.
>
> Hmm, I don't like this patch, since you never clear the buffer for reads
> now. If the controller for some reason doesn't overwrite this buffer,
> you could be leaking privileged data! Your bug is because you do:
>
> if (write && copy_from_user(...))
> fail
> else
> clear
>
> so you end up in the clear case for any case where copy_from_user()
> doesn't fail. I've fixed it up for you, this is what I committed:
Thanks, Jens.
>
> diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
> index e239a6c..33f8341 100644
> --- a/drivers/block/cciss.c
> +++ b/drivers/block/cciss.c
> @@ -1017,10 +1017,11 @@ static int cciss_ioctl(struct inode *ino
> status = -ENOMEM;
> goto cleanup1;
> }
> - if (ioc->Request.Type.Direction == XFER_WRITE &&
> - copy_from_user(buff[sg_used], data_ptr, sz)) {
> + if (ioc->Request.Type.Direction == XFER_WRITE) {
> + if (copy_from_user(buff[sg_used], data_ptr, sz)) {
> status = -ENOMEM;
> - goto cleanup1;
> + goto cleanup1;
> + }
> } else {
> memset(buff[sg_used], 0, sz);
> }
>
> --
> Jens Axboe
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-11-18 21:32 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-11-18 16:41 [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU mikem
2005-11-18 21:01 ` Jens Axboe
2005-11-18 21:32 ` mikem
2005-11-18 21:05 ` Philippe Pegon
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.