From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org, linux-scsi@vger.kernel.org,
James Bottomley <James.Bottomley@steeleye.com>
Subject: Re: [patch 5/5] scsi: fix uaccess handling
Date: Sun, 29 Oct 2006 22:39:22 +0100 [thread overview]
Message-ID: <20061029213922.GA8494@osiris.ibm.com> (raw)
In-Reply-To: <20061028113143.GB14785@infradead.org>
> While not your fault I'd suggest to fix the __put_user abuse at the same
> time, as in the untested patch below for scsi_ioctl.c:
Makes sense. Even though the whole SCSI_IOCTL_GET_IDLUN ioctl interface
is pretty pointless.
It supports only up to 255 different ids and luns and might return the
same 'dev_id' for two different devices...
Any user space utility that depends on this interface would do the wrong
thing (whatever that would be).
> Index: linux-2.6/drivers/scsi/scsi_ioctl.c
> ===================================================================
> --- linux-2.6.orig/drivers/scsi/scsi_ioctl.c 2006-10-28 13:24:18.000000000 +0200
> +++ linux-2.6/drivers/scsi/scsi_ioctl.c 2006-10-28 13:30:17.000000000 +0200
> @@ -173,6 +173,21 @@
> return copy_to_user(arg, dev->bus_id, sizeof(dev->bus_id))? -EFAULT: 0;
> }
>
> +static int scsi_get_idlun(struct scsi_device *sdev,
> + struct scsi_idlun __user *arg)
> +{
> + struct scsi_idlun karg = {
> + .dev_id = (sdev->id & 0xff) +
> + ((sdev->lun & 0xff) << 8) +
> + ((sdev->channel & 0xff) << 16) +
> + ((sdev->host->host_no & 0xff) << 24),
> + .host_unique_id = sdev->host->unique_id
> + };
> +
> + if (copy_to_user(arg, &karg, sizeof(struct scsi_idlun)))
> + return -EFAULT;
> + return 0;
> +}
>
> /*
> * the scsi_ioctl() function differs from most ioctls in that it does
> @@ -214,17 +229,7 @@
>
> switch (cmd) {
> case SCSI_IOCTL_GET_IDLUN:
> - if (!access_ok(VERIFY_WRITE, arg, sizeof(struct scsi_idlun)))
> - return -EFAULT;
> -
> - __put_user((sdev->id & 0xff)
> - + ((sdev->lun & 0xff) << 8)
> - + ((sdev->channel & 0xff) << 16)
> - + ((sdev->host->host_no & 0xff) << 24),
> - &((struct scsi_idlun __user *)arg)->dev_id);
> - __put_user(sdev->host->unique_id,
> - &((struct scsi_idlun __user *)arg)->host_unique_id);
> - return 0;
> + return scsi_get_idlun(sdev, arg);
> case SCSI_IOCTL_GET_BUS_NUMBER:
> return put_user(sdev->host->host_no, (int __user *)arg);
> case SCSI_IOCTL_PROBE_HOST:
next prev parent reply other threads:[~2006-10-29 21:39 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-26 13:00 [patch 0/5] various user space access fixes Heiko Carstens
2006-10-26 13:01 ` [patch 1/5] binfmt: fix uaccess handling Heiko Carstens
2006-10-27 4:37 ` Andrew Morton
2006-10-26 13:02 ` [patch 2/5] compat: " Heiko Carstens
2006-10-26 13:03 ` [patch 3/5] net: " Heiko Carstens
2006-10-30 23:06 ` David Miller
2006-10-26 13:04 ` [patch 4/5] profile: " Heiko Carstens
2006-10-26 13:04 ` [patch 5/5] scsi: " Heiko Carstens
2006-10-28 11:31 ` Christoph Hellwig
2006-10-29 21:39 ` Heiko Carstens [this message]
2006-12-15 17:36 ` James Bottomley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061029213922.GA8494@osiris.ibm.com \
--to=heiko.carstens@de.ibm.com \
--cc=James.Bottomley@steeleye.com \
--cc=akpm@osdl.org \
--cc=hch@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.