From: Al Viro <viro@ftp.linux.org.uk>
To: Arnd Bergmann <arnd@arndb.de>
Cc: Jens Axboe <jens.axboe@oracle.com>,
linux-kernel@vger.kernel.org, davem@davemloft.net, hch@lst.de
Subject: Re: [patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access
Date: Sun, 7 Oct 2007 10:59:55 +0100 [thread overview]
Message-ID: <20071007095955.GR8181@ftp.linux.org.uk> (raw)
In-Reply-To: <20071006182343.857595918@arndb.de>
On Sat, Oct 06, 2007 at 08:19:11PM +0200, Arnd Bergmann wrote:
> As found by sparse, a user space pointer is assigned to a kernel
> data structure while calling other code with set_fs(KERNEL_DS),
> which could lead to leaking kernel data if that pointer is
> ever accessed.
>
> I could not find any place in the floppy drivers that actually
> uses that pointer, but assigning it to an empty string is
> a safer choice and gets rid of the sparse warning.
FWIW, I'd kill kmalloc(), switched to compat_alloc_user_space() and
copy_in_user() / get_user()+put_user(). And kill set_fs() around that
sys_ioctl()... Separate from the rest of this series, though.
next prev parent reply other threads:[~2007-10-07 10:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-06 18:19 [patch 0/9] compat_ioctl: introduce block/compat_ioctl.c Arnd Bergmann
2007-10-06 18:19 ` [patch 1/9] compat_ioctl: move common block ioctls to compat_blkdev_ioctl Arnd Bergmann
2007-10-06 18:55 ` Christoph Hellwig
2007-10-06 23:44 ` Arnd Bergmann
2007-10-06 18:19 ` [patch 2/9] compat_ioctl: add compat_blkdev_driver_ioctl() Arnd Bergmann
2007-10-06 18:19 ` [patch 3/9] compat_ioctl: handle blk_trace ioctls Arnd Bergmann
2007-10-06 18:19 ` [patch 4/9] compat_ioctl: move hdio calls to block/compat_ioctl.c Arnd Bergmann
2007-10-06 18:19 ` [patch 5/9] compat_ioctl: move BLKPG handling " Arnd Bergmann
2007-10-06 18:19 ` [patch 6/9] compat_ioctl: move cdrom handlers " Arnd Bergmann
2007-10-06 18:19 ` [patch 7/9] compat_ioctl: move floppy " Arnd Bergmann
2007-10-06 18:19 ` [patch 8/9] compat_ioctl: call disk->fops->compat_ioctl without BKL Arnd Bergmann
2007-10-07 9:53 ` Al Viro
2007-10-07 11:02 ` Arnd Bergmann
2007-10-06 18:19 ` [patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access Arnd Bergmann
2007-10-07 9:59 ` Al Viro [this message]
2007-10-08 5:12 ` [patch 0/9] compat_ioctl: introduce block/compat_ioctl.c Al Viro
2007-10-08 6:04 ` David Miller
2007-10-08 6:38 ` [PATCHv2 1/9] compat_ioctl: move common block ioctls to compat_blkdev_ioctl Arnd Bergmann
2007-10-09 11:24 ` [patch 0/9] compat_ioctl: introduce block/compat_ioctl.c Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071007095955.GR8181@ftp.linux.org.uk \
--to=viro@ftp.linux.org.uk \
--cc=arnd@arndb.de \
--cc=davem@davemloft.net \
--cc=hch@lst.de \
--cc=jens.axboe@oracle.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.