I was wondering whether the following patch could make sense.
The compat ioctl code uses get_user() to fetch all integers, but
uses __get_user() to fetch the pointer. But I don't see who checked access_ok()
on the pointer member of the compat struct in userspace.
The native IOCTL does check access_ok() on the pointer (via copy_from_user() on
the whole struct usbdevfs_ioctl)
What happens to __get_user() if access is not OK? Does it crash? Does it silently return
and leave udata uninitialized (= initialized with stack junk). Both would be pretty bad.
Signed-off-by: Michael Buesch <mb@xxxxxxxxx>
---
drivers/usb/core/devio.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- linux-2.6.orig/drivers/usb/core/devio.c
+++ linux-2.6/drivers/usb/core/devio.c
@@ -1531,21 +1531,21 @@ static int proc_ioctl_default(struct dev
#ifdef CONFIG_COMPAT
static int proc_ioctl_compat(struct dev_state *ps, compat_uptr_t arg)
{
struct usbdevfs_ioctl32 __user *uioc;
struct usbdevfs_ioctl ctrl;
u32 udata;
uioc = compat_ptr((long)arg);
if (get_user(ctrl.ifno, &uioc->ifno) ||
get_user(ctrl.ioctl_code, &uioc->ioctl_code) ||
- __get_user(udata, &uioc->data))
+ get_user(udata, &uioc->data))
return -EFAULT;
ctrl.data = compat_ptr(udata);
return proc_ioctl(ps, &ctrl);
}
#endif
/*
* NOTE: All requests here that have interface numbers as parameters
* are assuming that somehow the configuration has been prevented from
--
Greetings, Michael.
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
