From: Greg KH <gregkh@linuxfoundation.org>
To: Fuqian Huang <huangfq.daxian@gmail.com>
Cc: jslaby@suse.com, linux-kernel@vger.kernel.org
Subject: Re: a kernel address leak via copy_to_user in drivers/tty/rocket.c
Date: Sat, 30 Mar 2019 09:11:56 +0100 [thread overview]
Message-ID: <20190330081156.GA3149@kroah.com> (raw)
In-Reply-To: <CABXRUiSvSP=L3Twkya9HiuzQHmJngTET3XEKoxGGpSfPxb-_tw@mail.gmail.com>
On Sat, Mar 30, 2019 at 04:02:38PM +0800, Fuqian Huang wrote:
> I add a function to mask all pointer fields of struct r_port. (Other
> pointer fields may have a similar issue, so I set all pointer fields
> to NULL);
> The modified code is marked with ">"
>
> >1274 static void mask_pointer(struct r_port *info, struct r_port *masked_info) {
> >1275 memcpy(masked_info, info, sizeof (struct r_port));
> >1276 masked_info->port.tty = NULL;
> >1277 masked_info->port.itty = NULL;
> >1278 masked_info->port.ops = NULL;
> >1279 masked_info->port.client_ops = NULL;
> >1280 memset(&masked_info->port.open_wait.head, 0, sizeof(struct list_head));
> >1281 memset(&masked_info->port.delta_msr_wait.head, 0, sizeof(struct list_head));
> >1282 memset(&masked_info->port.mutex.wait_list, 0, sizeof(struct list_head));
> >1283 memset(&masked_info->port.buf_mutex.wait_list, 0, sizeof(struct list_head));
> >1284 masked_info->port.xmit_buf = NULL;
> >1285 masked_info->port.client_data = NULL;
> >1286 masked_info->ctlp = NULL;
> >1287 masked_info->xmit_buf = NULL;
> >1288 memset(&masked_info->write_mtx.wait_list, 0, sizeof(struct list_head));
> >1289 }
> 1290
> 1291 /* IOCTL call handler into the driver */
> 1292 static int rp_ioctl(struct tty_struct *tty,
> 1293 unsigned int cmd, unsigned long arg)
> 1294 {
> 1295 struct r_port *info = tty->driver_data;
> >1296 struct r_port *masked_info;
> 1297 void __user *argp = (void __user *)arg;
> 1298 int ret = 0;
> 1299
> 1300 if (cmd != RCKP_GET_PORTS && rocket_paranoia_check(info, "rp_ioctl"))
> 1301 return -ENXIO;
> 1302 switch (cmd) {
> 1303 case RCKP_GET_STRUCT:
> >1304 masked_info = kzalloc(sizeof (struct r_port), GFP_KERNEL);
> >1305 mask_pointer(info, masked_info);
> >1306 if (copy_to_user(argp, masked_info, sizeof (struct r_port)))
> 1307 ret = -EFAULT;
Please read Documentation/SubmittingPatches for the proper way to create
and submit a patch such that we can apply it.
thanks!
greg k-h
prev parent reply other threads:[~2019-03-30 8:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-30 7:05 a kernel address leak via copy_to_user in drivers/tty/rocket.c Fuqian Huang
2019-03-30 7:14 ` Greg KH
2019-03-30 8:02 ` Fuqian Huang
2019-03-30 8:11 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190330081156.GA3149@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=huangfq.daxian@gmail.com \
--cc=jslaby@suse.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox