From: Greg KH <gregkh@linuxfoundation.org>
To: Fuqian Huang <huangfq.daxian@gmail.com>
Cc: jslaby@suse.com, linux-kernel@vger.kernel.org
Subject: Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c
Date: Sat, 30 Mar 2019 09:11:56 +0100 [thread overview]
Message-ID: <20190330081156.GA3149@kroah.com> (raw)
In-Reply-To: <CABXRUiSvSP=L3Twkya9HiuzQHmJngTET3XEKoxGGpSfPxb-_tw@mail.gmail.com>
On Sat, Mar 30, 2019 at 04:02:38PM +0800, Fuqian Huang wrote:
> I add a function to mask all pointer fields of struct r_port. (Other
> pointer fields may have a similar issue, so I set all pointer fields
> to NULL);
> The modified code is marked with ">"
>
> >1274 static void mask_pointer(struct r_port *info, struct r_port *masked_info) {
> >1275 memcpy(masked_info, info, sizeof (struct r_port));
> >1276 masked_info->port.tty = NULL;
> >1277 masked_info->port.itty = NULL;
> >1278 masked_info->port.ops = NULL;
> >1279 masked_info->port.client_ops = NULL;
> >1280 memset(&masked_info->port.open_wait.head, 0, sizeof(struct list_head));
> >1281 memset(&masked_info->port.delta_msr_wait.head, 0, sizeof(struct list_head));
> >1282 memset(&masked_info->port.mutex.wait_list, 0, sizeof(struct list_head));
> >1283 memset(&masked_info->port.buf_mutex.wait_list, 0, sizeof(struct list_head));
> >1284 masked_info->port.xmit_buf = NULL;
> >1285 masked_info->port.client_data = NULL;
> >1286 masked_info->ctlp = NULL;
> >1287 masked_info->xmit_buf = NULL;
> >1288 memset(&masked_info->write_mtx.wait_list, 0, sizeof(struct list_head));
> >1289 }
> 1290
> 1291 /* IOCTL call handler into the driver */
> 1292 static int rp_ioctl(struct tty_struct *tty,
> 1293 unsigned int cmd, unsigned long arg)
> 1294 {
> 1295 struct r_port *info = tty->driver_data;
> >1296 struct r_port *masked_info;
> 1297 void __user *argp = (void __user *)arg;
> 1298 int ret = 0;
> 1299
> 1300 if (cmd != RCKP_GET_PORTS && rocket_paranoia_check(info, "rp_ioctl"))
> 1301 return -ENXIO;
> 1302 switch (cmd) {
> 1303 case RCKP_GET_STRUCT:
> >1304 masked_info = kzalloc(sizeof (struct r_port), GFP_KERNEL);
> >1305 mask_pointer(info, masked_info);
> >1306 if (copy_to_user(argp, masked_info, sizeof (struct r_port)))
> 1307 ret = -EFAULT;
Please read Documentation/SubmittingPatches for the proper way to create
and submit a patch such that we can apply it.
thanks!
greg k-h
prev parent reply other threads:[~2019-03-30 8:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-30 7:05 a kernel address leak via copy_to_user in drivers/tty/rocket.c Fuqian Huang
2019-03-30 7:14 ` Greg KH
2019-03-30 8:02 ` Fuqian Huang
2019-03-30 8:11 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190330081156.GA3149@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=huangfq.daxian@gmail.com \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.