Re: copy_from_user/copy_to_user question

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Steven Rostedt <rostedt@goodmis.org>
To: Vinay Venkataraghavan <raghavanvinay@yahoo.com>
Cc: Andi Kleen <ak@suse.de>, linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: copy_from_user/copy_to_user question
Date: Tue, 06 Dec 2005 13:23:14 -0500	[thread overview]
Message-ID: <1133893394.6724.88.camel@localhost.localdomain> (raw)
In-Reply-To: <20051206175301.34596.qmail@web32110.mail.mud.yahoo.com>

On Tue, 2005-12-06 at 09:53 -0800, Vinay Venkataraghavan wrote:
> Thanks to Steve and everybody who sent such detailed
> and timely responses to my question. 
> 
> The motivation for the copy to user question is due to
> the handling of ioctl calls in the driver for a chip
> that is widely used. I just could not beleive that
> they would/could commit such a mistake. 
> 
> It looks like the old driver code still seems to work
> even without performing copy_to_user and
> copy_from_user.

How old is this driver? The old days, we had memcpy_fromfs, which I
believe was replaced with copy_from_user in 2.2 (and thus would no
longer work).

> 
> But this brings about another scenario. What if the
> case statement in the ioctl call only needs to have
> access to the members of the structure passed in
> through the arg pointer but does not need to modify
> these values and return values. 
> 
> Is this still a problem if copy_to_user and
> copy_from_user is not used?
> 

If what it is looking at is just a standard type (char, short, int,
long) within the struct, it can use get_user, and not the bigger cousin
copy_from_user.  The arg value passed in for the ioctl is OK to read
itself.  That is if you are just reading the arg as unsigned long.  But
if this arg is dereferenced as a pointer, then you must use one of the
*_user functions.

If it isn't using any of the *_user functions then most likely this
works with just plain luck.  The chance of having the page swap out from
the time the user updates the struct to the time the kernel reads it is
very slim.  So memcpy would unfortunately work. (I say unfortunately
because if it didn't work, the author of this crap would not have done
so).  It also seems to trust the user application to work properly.

So instead of asking these questions, I would suggest writing a user
application that passes in a bad pointer for one of these arguments and
seeing if the machine crashes.  If/When it does, then go blame the
vendor of this crap.

-- Steve

next prev parent reply	other threads:[~2005-12-06 18:23 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <5fv0G-3kS-11@gated-at.bofh.it>
     [not found] ` <5fvam-3vP-9@gated-at.bofh.it>
2005-12-03  2:47   ` copy_from_user/copy_to_user question Robert Hancock
2005-12-03  3:23     ` Steven Rostedt
2005-12-03  3:33       ` Robert Hancock
2005-12-03  4:53         ` Steven Rostedt
2005-12-03 22:35       ` Andi Kleen
2005-12-03 18:26         ` Steven Rostedt
2005-12-06 17:53           ` Vinay Venkataraghavan
2005-12-06 17:56             ` Arjan van de Ven
2005-12-06 18:23             ` Steven Rostedt [this message]
2005-12-06 18:23             ` linux-os (Dick Johnson)
2005-12-06 18:42               ` Steven Rostedt
2005-12-06 19:58                 ` linux-os (Dick Johnson)
2005-12-06 20:05               ` Vinay Venkataraghavan
2005-12-02 22:40 Vinay Venkataraghavan
2005-12-03  1:09 ` Steven Rostedt
2005-12-03  1:38   ` Al Viro
2005-12-03  2:02     ` Steven Rostedt
2005-12-03  2:11       ` Vinay Venkataraghavan
2005-12-03  2:22         ` Vinay Venkataraghavan
2005-12-03  2:27         ` Steven Rostedt
2005-12-03  8:33         ` Arjan van de Ven
2005-12-03  9:43       ` Heiko Carstens
2005-12-03 12:14         ` Steven Rostedt
2005-12-03 22:33       ` Andi Kleen
2005-12-05 13:31   ` linux-os (Dick Johnson)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1133893394.6724.88.camel@localhost.localdomain \
    --to=rostedt@goodmis.org \
    --cc=ak@suse.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=raghavanvinay@yahoo.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox