Re: [PATCH RFC v2 0/6] staging: comedi: fix user/kernel space access of cmd->chanlist

Ian Abbott <abbotti@xxxxxxxxx> · Wed, 19 Sep 2012 06:17:24 +0100

On 18/09/12 21:48, H Hartley Sweeten wrote:
On Tuesday, September 18, 2012 1:15 PM, H Hartley Sweeten wrote:
On Tuesday, September 18, 2012 12:13 PM, Dan Carpenter wrote:
This introduces some new Sparse warnings in the compat code.

Ugh.. I thought my .config was building this driver since it was in
my build log.

I think the Makefile should be fixed so the #ifdef CONFIG_COMPAT
can be removed from comedi_compat32.c. Oh well, different issue.

    CHECK   drivers/staging/comedi/comedi_compat32.c
drivers/staging/comedi/comedi_compat32.c:212:16: warning: cast removes address space of expression
drivers/staging/comedi/comedi_compat32.c:212:16: warning: cast removes address space of expression
drivers/staging/comedi/comedi_compat32.c:212:16: warning: cast removes address space of expression
drivers/staging/comedi/comedi_compat32.c:212:16: warning: cast removes address space of expression
    CC [M]  drivers/staging/comedi/comedi_compat32.o

    210          err |= __put_user(temp.uint, &cmd->stop_arg);
    211          err |= __get_user(temp.uptr, &cmd32->chanlist);
    212          err |= __put_user(compat_ptr(temp.uptr), &cmd->chanlist);
    213          err |= __get_user(temp.uint, &cmd32->chanlist_len);
    214          err |= __put_user(temp.uint, &cmd->chanlist_len);
    215          err |= __get_user(temp.uptr, &cmd32->data);
    216          err |= __put_user(compat_ptr(temp.uptr), &cmd->data);
    217          err |= __get_user(temp.uint, &cmd32->data_len);

I'm not sure how to cast away the warnings...

Would it work to just "get" the value as an unsigned long and the "put"
it back as an unsigned long?

If I read this code correctly there might be another issue.

This only moves the first level values between the 32-bit user view of
the struct to the 64-bit kernel view of the struct. But what about the
values that chainlist actually points to?

Those values remain in userspace, but will now be pointed to by a 64-bit 
userspace pointer.  The normal 64-bit unlocked_ioctl handler will deal 
with them.

Doing a new build now with CONFIG_COMPAT enabled. I'll take a
look at it then.

Well, I thought I had CONFIG_COMPAT enabled...

What's the trick to enable that config option?

You're building it for x86-64, right?  You need to select "IA32 
Emulation" (CONFIG_IA32_EMULATION) and/or "x32 ABI for 64-bit mode 
(EXPERIMENTAL)" (CONFIG_X86_X32).  I've never tested the latter option.

--
-=( Ian Abbott @ MEV Ltd.    E-mail: <abbotti@xxxxxxxxx>        )=-
-=( Tel: +44 (0)161 477 1898   FAX: +44 (0)161 718 3587         )=-
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/devel