On Tue, Nov 25, 2014 at 09:44:21PM +0100, Zahari Doychev wrote:
> This patch fixes pointer declarations from void * to void __user * in order
> to remove some sparse warnings.
_Are_ those userland addresses, though? Quick grep shows that in the
only caller of lnet_copy_iov2flat() we have something called ibmsg passed
as the second argument *AND* *RIGHT* *BEFORE* *THAT* *CALL* *WE* *HAVE*
ibmsg = tx->tx_msg;
ibmsg->ibm_u.immediate.ibim_hdr = *hdr;
Go ahead, explain how does that manage to work if ibmsg is a userland pointer.
Either you have discovered an exploitable hole (direct store to userland
address), or it's not a userland pointer, after all.
Al, sick and tired of the "remove some warnings" as the sole rationale for
patches, without even an attempt to figure out what those warnings are
about. Magic box makes noises, magic box must be appeased...
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
