From: Andi Kleen <ak@suse.de>
To: Pavel Machek <pavel@suse.cz>
Cc: akpm@digeo.com, davem@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: must-fix list, v5
Date: 29 May 2003 11:17:36 +0200 [thread overview]
Message-ID: <p73wuga6rin.fsf@oldwotan.suse.de> (raw)
In-Reply-To: <20030528215551.GB255@elf.ucw.cz.suse.lists.linux.kernel>
Pavel Machek <pavel@suse.cz> writes:
> + kiov = (sg_iovec_t *) sgp->dxferp;
> + for (i = 0; i < sgp->iovec_count; i++) {
> + u32 iov_base32;
> + if (__get_user(iov_base32, &uiov->iov_base) ||
> + __get_user(kiov->iov_len, &uiov->iov_len))
> + return -EFAULT;
> + if (verify_area(VERIFY_WRITE, compat_ptr(iov_base32), kiov->iov_len))
> + return -EFAULT;
> + kiov->iov_base = compat_ptr(iov_base32);
This part won't work on sparc64 because it has separate address spaces
for user/kernel. I did it this way for x86-64 because I didn't realize
the sparc64 problem yet and it works fine there. For sparc64 it needs to be
converted to compat_alloc_user_space() (see net/compat.c for an example)
or to alloc/copy the payload again. The first is prefered.
Pavel you would need to fix this first, otherwise Ben Collins and DaveM
will be unhappy as soon as they want to burn a CD.
> + } else {
> + err = verify_area(VERIFY_WRITE, compat_ptr(dxferp32), sg_io64.dxfer_len);
> + if (err)
> + goto out;
> +
> + sg_io64.dxferp = compat_ptr(dxferp32);
> + }
Same here.
t_user(cdread.cdread_lba, &((struct cdrom_read32 *)arg)->cdread_lba);
> + err |= __get_user(addr, &((struct cdrom_read32 *)arg)->cdread_bufaddr);
> + err |= __get_user(cdread.cdread_buflen, &((struct cdrom_read32 *)arg)->cdread_buflen);
> + if (err)
> + return -EFAULT;
> + if (verify_area(VERIFY_WRITE, compat_ptr(addr), cdread.cdread_buflen))
> + return -EFAULT;
> + cdread.cdread_bufaddr = compat_ptr(addr);
Same here.
> + err |= __get_user(addr, &((struct cdrom_read_audio32 *)arg)->buf);
> + if (err)
> + return -EFAULT;
> +
> +
> + if (verify_area(VERIFY_WRITE, compat_ptr(addr), cdreadaudio.nframes*2352))
> + return -EFAULT;
And here.
err |= __get_user(addr, &((struct cdrom_generic_command32 *)arg)->buffer);
> + err |= __get_user(cgc.buflen, &((struct cdrom_generic_command32 *)arg)->buflen);
> + if (err)
> + return -EFAULT;
> + if (verify_area(VERIFY_WRITE, compat_ptr(addr), cgc.buflen))
> + return -EFAULT;
> + cgc.buffer = compat_ptr(addr);
And here
> + if (iobuf32.buffer == (compat_caddr_t) NULL || iobuf32.length == 0) {
> + iobuf.buffer = (void*)(unsigned long)iobuf32.buffer;
> + } else {
> + iobuf.buffer = compat_ptr(iobuf32.buffer);
> + if (verify_area(VERIFY_WRITE, iobuf.buffer, iobuf.length))
> + return -EINVAL;
> + }
And here.
> + if (sioc32.arg == (compat_caddr_t) NULL || sioc32.length == 0) {
> + sioc.arg = (void*)(unsigned long)sioc32.arg;
> + } else {
> + sioc.arg = compat_ptr(sioc32.arg);
> + if (verify_area(VERIFY_WRITE, sioc.arg, sioc32.length))
> + return -EFAULT;
> + }
> +
> + old_fs = get_fs(); set_fs (KERNEL_DS);
> + err = sys_ioctl (fd, cmd, (unsigned long)&sioc);
And here
> +
> + if (get_user(karg.start, &uarg->start) ||
> + get_user(karg.length, &uarg->length) ||
> + get_user(tmp, &uarg->ptr))
> + return -EFAULT;
> +
> + karg.ptr = compat_ptr(tmp);
> + if (verify_area(VERIFY_WRITE, karg.ptr, karg.length))
> + return -EFAULT;
And here.
> +
> + set_fs(KERNEL_DS);
> + if (MEMREADOOB32 == cmd)
> + ret = sys_ioctl(fd, MEMREADOOB, (unsigned long)&karg);
> + else if (MEMWRITEOOB32 == cmd)
> + ret = sys_ioctl(fd, MEMWRITEOOB, (unsigned long)&karg);
> + else
> + ret = -EINVAL;
> + set_fs(old_fs);
-Andi
next parent reply other threads:[~2003-05-29 9:04 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20030521152255.4aa32fba.akpm@digeo.com.suse.lists.linux.kernel>
[not found] ` <20030521152334.4b04c5c9.akpm@digeo.com.suse.lists.linux.kernel>
[not found] ` <20030526093717.GC642@zaurus.ucw.cz.suse.lists.linux.kernel>
[not found] ` <20030528144839.47efdc4f.akpm@digeo.com.suse.lists.linux.kernel>
[not found] ` <20030528215551.GB255@elf.ucw.cz.suse.lists.linux.kernel>
2003-05-29 9:17 ` Andi Kleen [this message]
2003-05-29 9:32 ` must-fix list, v5 David S. Miller
2003-05-29 9:46 ` Pavel Machek
2003-05-29 10:01 ` David S. Miller
2003-05-29 10:03 ` Pavel Machek
2003-05-29 9:46 ` Andi Kleen
2003-05-29 10:01 ` David S. Miller
2003-05-29 11:25 ` Pavel Machek
2003-05-29 11:26 ` David S. Miller
2003-05-29 11:39 ` Arjan van de Ven
2003-05-29 20:10 ` Pavel Machek
2003-05-29 20:06 ` Pavel Machek
2003-05-29 21:15 ` David S. Miller
2003-05-22 8:16 Grover, Andrew
2003-05-22 8:31 ` Andrew Morton
2003-05-22 14:23 ` Jos Hulzink
-- strict thread matches above, loose matches on Subject: below --
2003-05-21 23:59 Arnd Bergmann
2003-05-21 22:22 Andrew Morton
2003-05-21 22:23 ` Andrew Morton
2003-05-21 22:49 ` Tom Rini
2003-05-21 22:55 ` Andrew Morton
2003-05-26 9:37 ` Pavel Machek
2003-05-28 21:48 ` Andrew Morton
2003-05-28 21:55 ` Pavel Machek
2003-05-28 22:06 ` Andrew Morton
[not found] ` <20030528221812.GC255@elf.ucw.cz>
2003-05-28 22:46 ` Andrew Morton
2003-05-28 23:03 ` Pavel Machek
2003-05-29 11:13 ` Pavel Machek
2003-05-21 22:41 ` Andrew Morton
2003-05-22 1:03 ` Carl-Daniel Hailfinger
2003-05-22 3:08 ` oxymoron
2003-05-22 1:25 ` Andrew Theurer
2003-05-22 6:24 ` Jens Axboe
2003-05-25 21:05 ` Daniel Jacobowitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=p73wuga6rin.fsf@oldwotan.suse.de \
--to=ak@suse.de \
--cc=akpm@digeo.com \
--cc=davem@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox