[PATCH][2/2] - catch ignored copy_*_user() - fs/compat_ioctl.c
From: Jeremy Huddleston
Date: Sat Dec 25 2004 - 07:07:02 EST
And one more...
Catch and handle some previously ignored copy_*_user() calls
Signed-off-by: Jeremy Huddleston <eradicator@xxxxxxxxxx>
diff -Naurp linux-2.6.10-rc3-bk8/fs/compat_ioctl.c linux-2.6.10-rc3-bk8.edit/fs/compat_ioctl.c
--- linux-2.6.10-rc3-bk8/fs/compat_ioctl.c 2004-12-15 00:15:45.000000000 -0800
+++ linux-2.6.10-rc3-bk8.edit/fs/compat_ioctl.c 2004-12-15 02:56:18.000000000 -0800
@@ -645,8 +645,9 @@ int siocdevprivate_ioctl(unsigned int fd
/* Don't check these user accesses, just let that get trapped
* in the ioctl handler instead.
*/
- copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0], IFNAMSIZ);
- __put_user(data64, &u_ifreq64->ifr_ifru.ifru_data);
+ if(copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0], IFNAMSIZ) ||
+ __put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
+ return -EFAULT;
return sys_ioctl(fd, cmd, (unsigned long) u_ifreq64);
}
@@ -2334,17 +2335,19 @@ static int mtd_rw_oob(unsigned int fd, u
static long
put_dirent32 (struct dirent *d, struct compat_dirent __user *d32)
{
- int ret;
+ int ret;
- if ((ret = verify_area(VERIFY_WRITE, d32,
- sizeof(struct compat_dirent))))
- return ret;
+ if ((ret = verify_area(VERIFY_WRITE, d32,
+ sizeof(struct compat_dirent))))
+ return ret;
+
+ if(__put_user(d->d_ino, &d32->d_ino) ||
+ __put_user(d->d_off, &d32->d_off) ||
+ __put_user(d->d_reclen, &d32->d_reclen) ||
+ __copy_to_user(d32->d_name, d->d_name, d->d_reclen) )
+ return -EFAULT;
- __put_user(d->d_ino, &d32->d_ino);
- __put_user(d->d_off, &d32->d_off);
- __put_user(d->d_reclen, &d32->d_reclen);
- __copy_to_user(d32->d_name, d->d_name, d->d_reclen);
- return ret;
+ return ret;
}
static int vfat_ioctl32(unsigned fd, unsigned cmd, unsigned long arg)
@@ -2484,28 +2487,28 @@ static int serial_struct_ioctl(unsigned
__u32 udata;
if (cmd == TIOCSSERIAL) {
- if (verify_area(VERIFY_READ, ss32, sizeof(SS32)))
- return -EFAULT;
- __copy_from_user(&ss, ss32, offsetof(SS32, iomem_base));
- __get_user(udata, &ss32->iomem_base);
+ if (verify_area(VERIFY_READ, ss32, sizeof(SS32)) ||
+ __copy_from_user(&ss, ss32, offsetof(SS32, iomem_base)) ||
+ __get_user(udata, &ss32->iomem_base) )
+ return -EFAULT;
ss.iomem_base = compat_ptr(udata);
- __get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift);
- __get_user(ss.port_high, &ss32->port_high);
+ if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
+ __get_user(ss.port_high, &ss32->port_high) )
+ return -EFAULT;
ss.iomap_base = 0UL;
}
set_fs(KERNEL_DS);
err = sys_ioctl(fd,cmd,(unsigned long)(&ss));
set_fs(oldseg);
if (cmd == TIOCGSERIAL && err >= 0) {
- if (verify_area(VERIFY_WRITE, ss32, sizeof(SS32)))
+ if (verify_area(VERIFY_WRITE, ss32, sizeof(SS32)) ||
+ __copy_to_user(ss32,&ss,offsetof(SS32,iomem_base)) ||
+ __put_user((unsigned long)ss.iomem_base >> 32 ?
+ 0xffffffff : (unsigned)(unsigned long)ss.iomem_base,
+ &ss32->iomem_base) ||
+ __put_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
+ __put_user(ss.port_high, &ss32->port_high) )
return -EFAULT;
- __copy_to_user(ss32,&ss,offsetof(SS32,iomem_base));
- __put_user((unsigned long)ss.iomem_base >> 32 ?
- 0xffffffff : (unsigned)(unsigned long)ss.iomem_base,
- &ss32->iomem_base);
- __put_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift);
- __put_user(ss.port_high, &ss32->port_high);
-
}
return err;
}
Attachment:
signature.asc
Description: This is a digitally signed message part