Re: [patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access

From: Al Viro
Date: Sun Oct 07 2007 - 06:00:13 EST

Next message: Jiri Slaby: "Re: Revert "intel_agp: fix stolen mem range on G33""
Previous message: Al Viro: "Re: [patch 8/9] compat_ioctl: call disk->fops->compat_ioctl without BKL"
In reply to: Arnd Bergmann: "[patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access"
Next in thread: Arnd Bergmann: "[patch 3/9] compat_ioctl: handle blk_trace ioctls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Oct 06, 2007 at 08:19:11PM +0200, Arnd Bergmann wrote:
> As found by sparse, a user space pointer is assigned to a kernel
> data structure while calling other code with set_fs(KERNEL_DS),
> which could lead to leaking kernel data if that pointer is
> ever accessed.
>
> I could not find any place in the floppy drivers that actually
> uses that pointer, but assigning it to an empty string is
> a safer choice and gets rid of the sparse warning.

FWIW, I'd kill kmalloc(), switched to compat_alloc_user_space() and
copy_in_user() / get_user()+put_user(). And kill set_fs() around that
sys_ioctl()... Separate from the rest of this series, though.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jiri Slaby: "Re: Revert "intel_agp: fix stolen mem range on G33""
Previous message: Al Viro: "Re: [patch 8/9] compat_ioctl: call disk->fops->compat_ioctl without BKL"
In reply to: Arnd Bergmann: "[patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access"
Next in thread: Arnd Bergmann: "[patch 3/9] compat_ioctl: handle blk_trace ioctls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]