From: Dan Carpenter <dan.carpenter@oracle.com>
To: Rob Springer <rspringer@google.com>
Cc: devel@driverdev.osuosl.org, kernel-janitors@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
John Joseph <jnjoseph@google.com>, Simon Que <sque@chromium.org>,
Richard Yeh <rcy@google.com>, Todd Poynor <toddpoynor@google.com>
Subject: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
Date: Fri, 22 Jan 2021 15:01:13 +0000 [thread overview]
Message-ID: <YAroue0qiuf35rkS@mwanda> (raw)
The "gasket_dev->num_page_tables" variable is an int but this is copying
sizeof(u64). On 32 bit systems this would end up disclosing a kernel
pointer to user space, but on 64 bit it copies zeroes from a struct
hole.
Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is an API change. Please review this carefully! Another potential
fix would be to make ->num_page_tables a long instead of an int.
drivers/staging/gasket/gasket_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/gasket/gasket_ioctl.c b/drivers/staging/gasket/gasket_ioctl.c
index e3047d36d8db..c4abac35c1ca 100644
--- a/drivers/staging/gasket/gasket_ioctl.c
+++ b/drivers/staging/gasket/gasket_ioctl.c
@@ -318,7 +318,7 @@ long gasket_handle_ioctl(struct file *filp, uint cmd, void __user *argp)
case GASKET_IOCTL_NUMBER_PAGE_TABLES:
trace_gasket_ioctl_integer_data(gasket_dev->num_page_tables);
if (copy_to_user(argp, &gasket_dev->num_page_tables,
- sizeof(uint64_t)))
+ sizeof(gasket_dev->num_page_tables)))
retval = -EFAULT;
else
retval = 0;
--
2.29.2
next reply other threads:[~2021-01-22 15:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-22 15:01 Dan Carpenter [this message]
2021-03-09 13:26 ` [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl() Greg Kroah-Hartman
2021-03-09 16:57 ` AW: " Walter Harms
2021-03-09 17:03 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAroue0qiuf35rkS@mwanda \
--to=dan.carpenter@oracle.com \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=jnjoseph@google.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=rcy@google.com \
--cc=rspringer@google.com \
--cc=sque@chromium.org \
--cc=toddpoynor@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.