[PATCH] compat_readv: Remove bogus area verify

From: Corey Minyard
Date: Fri Dec 27 2013 - 20:23:50 EST

Next message: David Woodfall: "Re: Problem with cpufreq and i5 since post 3.9.0"
Previous message: Marcel Holtmann: "Re: [PATCH v2] Bluetooth: Add hci_h4p driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The compat_do_readv_writev() function was doing a verify_area on the
incoming iov, but the nr_segs value is not checked. If someone passes
in a -1 for nr_segs, for instance, the function should return an EINVAL.
However, it returns a EFAULT because the verify_area fails because it
is checking an array of size MAX_UINT. The check is bogus, anyway,
because the next check, compat_rw_copy_check_uvector(), will do all
the necessary checking, anyway. The non-compat do_readv_writev()
function doesn't do this check, so I think it's safe to just remove
the code.

Signed-off-by: Corey Minyard <cminyard@xxxxxxxxxx>
---
fs/read_write.c | 4 ----
1 file changed, 4 deletions(-)

diff --git a/fs/read_write.c b/fs/read_write.c
index 58e440d..1193ffd 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -901,10 +901,6 @@ static ssize_t compat_do_readv_writev(int type, struct file *file,
io_fn_t fn;
iov_fn_t fnv;

- ret = -EFAULT;
- if (!access_ok(VERIFY_READ, uvector, nr_segs*sizeof(*uvector)))
- goto out;
-
ret = compat_rw_copy_check_uvector(type, uvector, nr_segs,
UIO_FASTIOV, iovstack, &iov);
if (ret <= 0)
--
1.8.3.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: David Woodfall: "Re: Problem with cpufreq and i5 since post 3.9.0"
Previous message: Marcel Holtmann: "Re: [PATCH v2] Bluetooth: Add hci_h4p driver"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]