Re: [patch 5/5] scsi: fix uaccess handling

[Heiko Carstens <heiko.carstens@xxxxxxxxxx>]

> While not your fault I'd suggest to fix the __put_user abuse at the same
> time, as in the untested patch below for scsi_ioctl.c:

Makes sense. Even though the whole SCSI_IOCTL_GET_IDLUN ioctl interface
is pretty pointless.
It supports only up to 255 different ids and luns and might return the
same 'dev_id' for two different devices...
Any user space utility that depends on this interface would do the wrong
thing (whatever that would be).

> Index: linux-2.6/drivers/scsi/scsi_ioctl.c
> ===================================================================
> --- linux-2.6.orig/drivers/scsi/scsi_ioctl.c	2006-10-28 13:24:18.000000000 +0200
> +++ linux-2.6/drivers/scsi/scsi_ioctl.c	2006-10-28 13:30:17.000000000 +0200
> @@ -173,6 +173,21 @@
>          return copy_to_user(arg, dev->bus_id, sizeof(dev->bus_id))? -EFAULT: 0;
>  }
>  
> +static int scsi_get_idlun(struct scsi_device *sdev,
> +		struct scsi_idlun __user *arg)
> +{
> +	struct scsi_idlun karg = {
> +		.dev_id		= (sdev->id & 0xff) +
> +			          ((sdev->lun & 0xff) << 8) +
> +				  ((sdev->channel & 0xff) << 16) +
> +				  ((sdev->host->host_no & 0xff) << 24),
> +		.host_unique_id	= sdev->host->unique_id
> +	};
> +
> +	if (copy_to_user(arg, &karg, sizeof(struct scsi_idlun)))
> +		return -EFAULT;
> +	return 0;
> +}
>  
>  /*
>   * the scsi_ioctl() function differs from most ioctls in that it does
> @@ -214,17 +229,7 @@
>  
>  	switch (cmd) {
>  	case SCSI_IOCTL_GET_IDLUN:
> -		if (!access_ok(VERIFY_WRITE, arg, sizeof(struct scsi_idlun)))
> -			return -EFAULT;
> -
> -		__put_user((sdev->id & 0xff)
> -			 + ((sdev->lun & 0xff) << 8)
> -			 + ((sdev->channel & 0xff) << 16)
> -			 + ((sdev->host->host_no & 0xff) << 24),
> -			 &((struct scsi_idlun __user *)arg)->dev_id);
> -		__put_user(sdev->host->unique_id,
> -			 &((struct scsi_idlun __user *)arg)->host_unique_id);
> -		return 0;
> +		return scsi_get_idlun(sdev, arg);
>  	case SCSI_IOCTL_GET_BUS_NUMBER:
>  		return put_user(sdev->host->host_no, (int __user *)arg);
>  	case SCSI_IOCTL_PROBE_HOST:
-
To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html