* [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
@ 2021-01-22 15:01 Dan Carpenter
2021-03-09 13:26 ` Greg Kroah-Hartman
0 siblings, 1 reply; 4+ messages in thread
From: Dan Carpenter @ 2021-01-22 15:01 UTC (permalink / raw)
To: Rob Springer
Cc: devel, kernel-janitors, Greg Kroah-Hartman, John Joseph,
Simon Que, Richard Yeh, Todd Poynor
The "gasket_dev->num_page_tables" variable is an int but this is copying
sizeof(u64). On 32 bit systems this would end up disclosing a kernel
pointer to user space, but on 64 bit it copies zeroes from a struct
hole.
Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is an API change. Please review this carefully! Another potential
fix would be to make ->num_page_tables a long instead of an int.
drivers/staging/gasket/gasket_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/gasket/gasket_ioctl.c b/drivers/staging/gasket/gasket_ioctl.c
index e3047d36d8db..c4abac35c1ca 100644
--- a/drivers/staging/gasket/gasket_ioctl.c
+++ b/drivers/staging/gasket/gasket_ioctl.c
@@ -318,7 +318,7 @@ long gasket_handle_ioctl(struct file *filp, uint cmd, void __user *argp)
case GASKET_IOCTL_NUMBER_PAGE_TABLES:
trace_gasket_ioctl_integer_data(gasket_dev->num_page_tables);
if (copy_to_user(argp, &gasket_dev->num_page_tables,
- sizeof(uint64_t)))
+ sizeof(gasket_dev->num_page_tables)))
retval = -EFAULT;
else
retval = 0;
--
2.29.2
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
2021-01-22 15:01 [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl() Dan Carpenter
@ 2021-03-09 13:26 ` Greg Kroah-Hartman
2021-03-09 16:57 ` AW: " Walter Harms
0 siblings, 1 reply; 4+ messages in thread
From: Greg Kroah-Hartman @ 2021-03-09 13:26 UTC (permalink / raw)
To: Dan Carpenter
Cc: Rob Springer, devel, kernel-janitors, John Joseph, Simon Que,
Richard Yeh, Todd Poynor
On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64). On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
>
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change. Please review this carefully! Another potential
> fix would be to make ->num_page_tables a long instead of an int.
>
> drivers/staging/gasket/gasket_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Looks like this driver is dead, with no response from anyone from
Google.
Should I just delete it? The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree. Even if having it here actually finds
security issues that the authors missed like this :(
So, any objection to me deleting it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread* AW: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
2021-03-09 13:26 ` Greg Kroah-Hartman
@ 2021-03-09 16:57 ` Walter Harms
2021-03-09 17:03 ` Greg Kroah-Hartman
0 siblings, 1 reply; 4+ messages in thread
From: Walter Harms @ 2021-03-09 16:57 UTC (permalink / raw)
To: Greg Kroah-Hartman, Dan Carpenter
Cc: Rob Springer, devel@driverdev.osuosl.org,
kernel-janitors@vger.kernel.org, John Joseph, Simon Que,
Richard Yeh, Todd Poynor
why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?
re,
wh
________________________________________
Von: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gesendet: Dienstag, 9. März 2021 14:26:55
An: Dan Carpenter
Cc: Rob Springer; devel@driverdev.osuosl.org; kernel-janitors@vger.kernel.org; John Joseph; Simon Que; Richard Yeh; Todd Poynor
Betreff: Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64). On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
>
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change. Please review this carefully! Another potential
> fix would be to make ->num_page_tables a long instead of an int.
>
> drivers/staging/gasket/gasket_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Looks like this driver is dead, with no response from anyone from
Google.
Should I just delete it? The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree. Even if having it here actually finds
security issues that the authors missed like this :(
So, any objection to me deleting it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
2021-03-09 16:57 ` AW: " Walter Harms
@ 2021-03-09 17:03 ` Greg Kroah-Hartman
0 siblings, 0 replies; 4+ messages in thread
From: Greg Kroah-Hartman @ 2021-03-09 17:03 UTC (permalink / raw)
To: Walter Harms
Cc: Dan Carpenter, devel@driverdev.osuosl.org, John Joseph,
kernel-janitors@vger.kernel.org, Simon Que, Richard Yeh,
Rob Springer, Todd Poynor
On Tue, Mar 09, 2021 at 04:57:59PM +0000, Walter Harms wrote:
> why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?
We don't really have a "Deprecated" marking, we just delete them :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-03-09 17:04 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-01-22 15:01 [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl() Dan Carpenter
2021-03-09 13:26 ` Greg Kroah-Hartman
2021-03-09 16:57 ` AW: " Walter Harms
2021-03-09 17:03 ` Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox