The patch titled
ISDN: fix drivers, by handling errors thrown by ->readstat()
has been added to the -mm tree. Its filename is
isdn-fix-drivers-by-handling-errors-thrown-by-readstat.patch
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: ISDN: fix drivers, by handling errors thrown by ->readstat()
From: Jeff Garzik <jeff@xxxxxxxxxx>
This is a particularly ugly on-failure bug, possibly security, since the
lack of error handling here is covering up another class of bug: failure to
handle copy_to_user() return values.
The I4L API function ->readstat() returns an integer, and by looking at
several existing driver implementations, it is clear that a negative return
value was meant to indicate an error.
Given that several drivers already return a negative value indicating an
errno-style error, the current code would blindly accept that [negative]
value as a valid amount of bytes read. Obvious damage ensues.
Correcting ->readstat() handling to properly notice errors fixes the
existing code to work correctly on error, and enables future patches to
more easily indicate errors during operation.
Signed-off-by: Jeff Garzik <jeff@xxxxxxxxxx>
Cc: Karsten Keil <kkeil@xxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---
drivers/isdn/i4l/isdn_common.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff -puN drivers/isdn/i4l/isdn_common.c~isdn-fix-drivers-by-handling-errors-thrown-by-readstat drivers/isdn/i4l/isdn_common.c
--- a/drivers/isdn/i4l/isdn_common.c~isdn-fix-drivers-by-handling-errors-thrown-by-readstat
+++ a/drivers/isdn/i4l/isdn_common.c
@@ -1134,9 +1134,12 @@ isdn_read(struct file *file, char __user
if (dev->drv[drvidx]->interface->readstat) {
if (count > dev->drv[drvidx]->stavail)
count = dev->drv[drvidx]->stavail;
- len = dev->drv[drvidx]->interface->
- readstat(buf, count, drvidx,
- isdn_minor2chan(minor));
+ len = dev->drv[drvidx]->interface->readstat(buf, count,
+ drvidx, isdn_minor2chan(minor));
+ if (len < 0) {
+ retval = len;
+ goto out;
+ }
} else {
len = 0;
}
_
Patches currently in -mm which might be from jeff@xxxxxxxxxx are
origin.patch
tpm-fix-error-handling.patch
x86-microcode-handle-sysfs-error.patch
firmware-dell_rbu-handle-sysfs-errors.patch
ipmi-handle-sysfs-errors.patch
eisa-handle-sysfs-errors.patch
firmware-efivars-handle-error.patch
drivers-mca-handle-sysfs-errors.patch
isdn-several-minor-fixes.patch
fix-up-a-multitude-of-acpi-compiler-warnings-on-x86_64.patch
cpufreq-handle-sysfs-errors.patch
drm-fix-error-returns-sysfs-error-handling.patch
git-dvb.patch
i2c-buses-scx200_acb-handle-pci-errors.patch
input-handle-sysfs-errors.patch
input-drivers-handle-sysfs-errors.patch
git-libata-all.patch
ata-must-depend-on-block.patch
pci_module_init-conversion-for-pata_pdc2027x.patch
libata-return-sense-data-in-hdio_drive_cmd-ioctl.patch
via-pata-controller-xfer-fixes.patch
ahci-ati-sb600-sata-support-for-various-modes.patch
git-mtd.patch
git-netdev-all.patch
libphy-dont-do-that.patch
update-smc91x-driver-with-arm-versatile-board-info.patch
b44-fix-eeprom-endianess-issue.patch
forcedeth-power-management-support.patch
remove-unnecessary-check-in-drivers-net-depcac.patch
8139too-force-media-setting-fix.patch
ibmveth-irq-fix.patch
ehea-firmware-interface-based-on-anton-blanchards-new-hvcall-interface.patch
tulip-fix-shutdown-dma-irq-race.patch
drivers-dma-handle-sysfs-errors.patch
atm-firestream-handle-thrown-error.patch
wan-pc300-handle-propagate-minor-errors.patch
r8169-driver-corega-support-patch.patch
git-pciseg.patch
scsi-minor-bug-fixes-and-cleanups.patch
watchdog-itco_wdt-fix-bug-related-to-gcc-uninit-warning.patch
airo-suspend-fix.patch
drivers-led-handle-sysfs-errors.patch
i2o-handle-a-few-sysfs-errors.patch
fs-partitions-check-add-sysfs-error-handling.patch
rtc-fix-printk-of-64-bit-res-on-32-bit-platform.patch
isdn-fix-drivers-by-handling-errors-thrown-by-readstat.patch
atyfb-rivafb-minor-fixes.patch
md-conditionalize-some-code.patch
git-gccbug.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
