From: Arnd Bergmann <arnd@arndb.de>
To: Jens Axboe <jens.axboe@oracle.com>
Cc: linux-kernel@vger.kernel.org, davem@davemloft.net, hch@lst.de,
Al Viro <viro@ftp.linux.org.uk>
Subject: [patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access
Date: Sat, 06 Oct 2007 20:19:11 +0200 [thread overview]
Message-ID: <20071006182343.857595918@arndb.de> (raw)
In-Reply-To: 20071006181902.141862534@arndb.de
[-- Attachment #1: compat-floppy-ioctl-pointer.diff --]
[-- Type: text/plain, Size: 896 bytes --]
As found by sparse, a user space pointer is assigned to a kernel
data structure while calling other code with set_fs(KERNEL_DS),
which could lead to leaking kernel data if that pointer is
ever accessed.
I could not find any place in the floppy drivers that actually
uses that pointer, but assigning it to an empty string is
a safer choice and gets rid of the sparse warning.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Index: linux-2.6/block/compat_ioctl.c
===================================================================
--- linux-2.6.orig/block/compat_ioctl.c
+++ linux-2.6/block/compat_ioctl.c
@@ -349,7 +349,7 @@ static int compat_fd_ioctl(struct inode
err |= __get_user(f->spec1, &uf->spec1);
err |= __get_user(f->fmt_gap, &uf->fmt_gap);
err |= __get_user(name, &uf->name);
- f->name = compat_ptr(name);
+ f->name = "";
if (err) {
err = -EFAULT;
goto out;
--
next prev parent reply other threads:[~2007-10-06 18:31 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-06 18:19 [patch 0/9] compat_ioctl: introduce block/compat_ioctl.c Arnd Bergmann
2007-10-06 18:19 ` [patch 1/9] compat_ioctl: move common block ioctls to compat_blkdev_ioctl Arnd Bergmann
2007-10-06 18:55 ` Christoph Hellwig
2007-10-06 23:44 ` Arnd Bergmann
2007-10-06 18:19 ` [patch 2/9] compat_ioctl: add compat_blkdev_driver_ioctl() Arnd Bergmann
2007-10-06 18:19 ` [patch 3/9] compat_ioctl: handle blk_trace ioctls Arnd Bergmann
2007-10-06 18:19 ` [patch 4/9] compat_ioctl: move hdio calls to block/compat_ioctl.c Arnd Bergmann
2007-10-06 18:19 ` [patch 5/9] compat_ioctl: move BLKPG handling " Arnd Bergmann
2007-10-06 18:19 ` [patch 6/9] compat_ioctl: move cdrom handlers " Arnd Bergmann
2007-10-06 18:19 ` [patch 7/9] compat_ioctl: move floppy " Arnd Bergmann
2007-10-06 18:19 ` [patch 8/9] compat_ioctl: call disk->fops->compat_ioctl without BKL Arnd Bergmann
2007-10-07 9:53 ` Al Viro
2007-10-07 11:02 ` Arnd Bergmann
2007-10-06 18:19 ` Arnd Bergmann [this message]
2007-10-07 9:59 ` [patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access Al Viro
2007-10-08 5:12 ` [patch 0/9] compat_ioctl: introduce block/compat_ioctl.c Al Viro
2007-10-08 6:04 ` David Miller
2007-10-08 6:38 ` [PATCHv2 1/9] compat_ioctl: move common block ioctls to compat_blkdev_ioctl Arnd Bergmann
2007-10-09 11:24 ` [patch 0/9] compat_ioctl: introduce block/compat_ioctl.c Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071006182343.857595918@arndb.de \
--to=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=hch@lst.de \
--cc=jens.axboe@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.