From: Mikael Pettersson <mikpe@csd.uu.se>
To: Arjan van de Ven <arjan@infradead.org>
Cc: Pete Zaitcev <zaitcev@redhat.com>, Greg KH <greg@kroah.com>,
linux-usb-devel@lists.sourceforge.net,
linux-kernel@vger.kernel.org
Subject: Re: usb: Patch for USBDEVFS_IOCTL from 32-bit programs
Date: Tue, 18 Oct 2005 21:08:38 +0200 [thread overview]
Message-ID: <17237.18486.209678.977162@alkaid.it.uu.se> (raw)
In-Reply-To: <1129661516.2779.25.camel@laptopd505.fenrus.org>
Arjan van de Ven writes:
> On Tue, 2005-10-18 at 11:49 -0700, Pete Zaitcev wrote:
>
> >
> > The problem here is that compat_ptr does NOT turn user data pointer
> > into a kernel pointer. It's still a user pointer, only sized
> > differently. So, when you do set_fs(KERNEL_DS), this pointer
> > is invalid (miraclously, it does work on AMD64, so Dell's tests
> > pass on their new Xeons).
> >
> > So, you cannot simply to have a small shim. Instead, you have to allocate
> > the buffer, do copy_from_user(), and then call the ioctl. But then,
> > it would be a double-copy, when the ioctl allocates the buffer again.
> >
> > I tweaked this in various ways, and the patch I posted looks like
> > the cleanest solution. But please tell me if I miss something obvious.
>
>
> there is one more option; allocate on the user stack space for a 64 bit
> struct, then copy_in_user() the fields to that and then pass the new
> pointer to the 64 bit struct to the ioctl.....
Doesn't work and it would break user-space.
Case 1 is when the user stack pointer is at or very near the limit
of the available address space for the user stack, and the next page
is not available for expanding the stack.
Case 2 is when user-space manages its own threads and stacks, using
sigaltstack() to ensure that signal handlers execute elsewhere. Assume
the user stack pointer is at or near the limit of the currently allocated
stack. Having the kernel write to memory beyond the user's stack pointer
can then easily clobber some unrelated user data structure.
So please don't do this.
/Mikael
prev parent reply other threads:[~2005-10-18 19:09 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-18 1:15 usb: Patch for USBDEVFS_IOCTL from 32-bit programs Pete Zaitcev
2005-10-18 17:13 ` Greg KH
2005-10-18 15:05 ` Christopher Li
2005-10-19 3:33 ` Pete Zaitcev
2005-10-18 18:49 ` Pete Zaitcev
2005-10-18 18:51 ` Arjan van de Ven
2005-10-18 19:08 ` Mikael Pettersson [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=17237.18486.209678.977162@alkaid.it.uu.se \
--to=mikpe@csd.uu.se \
--cc=arjan@infradead.org \
--cc=greg@kroah.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb-devel@lists.sourceforge.net \
--cc=zaitcev@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox