Re: is avoiding compat ioctls possible?

From: Heiko Carstens
Date: Thu Oct 29 2009 - 04:34:49 EST

Next message: David Rientjes: "Re: Memory overcommit"
Previous message: David Rientjes: "Re: [PATCH] oom_kill: use rss value instead of vm size for badness"
In reply to: Arnd Bergmann: "Re: is avoiding compat ioctls possible?"
Next in thread: David Miller: "Re: is avoiding compat ioctls possible?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 28, 2009 at 10:41:57PM -0700, David Miller wrote:
> From: Arnd Bergmann <arndbergmann@xxxxxxxxxxxxxx>
> Date: Wed, 28 Oct 2009 16:40:18 +0100
>
> > I'm pretty sure it was ok when we started adding the compat_ioctl
> > handlers years ago. I think most people just ignored these for
> > the majority of drivers that can't possibly run on s390. Even
> > on s390, gcc will always do the right thing if you call call ioctl
> > with a pointer to a normal object in the .data section, heap or stack,
> > but hand-written assembly or other compilers may not.
>
> Arnd, even compat_sys_ioctl() itself has constructs like:
>
> case FS_IOC_RESVSP:
> case FS_IOC_RESVSP64:
> error = ioctl_preallocate(filp, (void __user *)arg);
> goto out_fput;

That's broken, but it's quite new code. In general it looks like we don't
have many compat ioctl problems on s390. At least I don't remember when
we faced the last bug.
We did have some compat syscall issues when SLES11 testing started.
The lack of bug reports is probably just a lack of 32 bit userspace ;)

This should fix at least the bug above:

Subject: [PATCH] fs: add missing compat_ptr handling for FS_IOC_RESVSP ioctl

From: Heiko Carstens <heiko.carstens@xxxxxxxxxx>

For FS_IOC_RESVSP and FS_IOC_RESVSP64 compat_sys_ioctl() uses its
arg argument as a pointer to userspace. However it is missing a
a call to compat_ptr() which will do a proper pointer conversion.

This was introduced with 3e63cbb1 "fs: Add new pre-allocation ioctls
to vfs for compatibility with legacy xfs ioctls".

Cc: Ankit Jain <me@xxxxxxxxxxxxx>
Cc: Christoph Hellwig <hch@xxxxxx>
Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Cc: Arnd Bergmann <arndbergmann@xxxxxxxxxxxxxx>
Reported-by: David Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Heiko Carstens <heiko.carstens@xxxxxxxxxx>
---
fs/compat_ioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
index f91fd51..d84e705 100644
--- a/fs/compat_ioctl.c
+++ b/fs/compat_ioctl.c
@@ -1800,7 +1800,7 @@ struct space_resv_32 {
/* just account for different alignment */
static int compat_ioctl_preallocate(struct file *file, unsigned long arg)
{
- struct space_resv_32 __user *p32 = (void __user *)arg;
+ struct space_resv_32 __user *p32 = compat_ptr(arg);
struct space_resv __user *p = compat_alloc_user_space(sizeof(*p));

if (copy_in_user(&p->l_type, &p32->l_type, sizeof(s16)) ||
@@ -2802,7 +2802,7 @@ asmlinkage long compat_sys_ioctl(unsigned int fd, unsigned int cmd,
#else
case FS_IOC_RESVSP:
case FS_IOC_RESVSP64:
- error = ioctl_preallocate(filp, (void __user *)arg);
+ error = ioctl_preallocate(filp, compat_ptr(arg));
goto out_fput;
#endif

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Rientjes: "Re: Memory overcommit"
Previous message: David Rientjes: "Re: [PATCH] oom_kill: use rss value instead of vm size for badness"
In reply to: Arnd Bergmann: "Re: is avoiding compat ioctls possible?"
Next in thread: David Miller: "Re: is avoiding compat ioctls possible?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]