lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Tue, 8 Feb 2011 14:58:55 -0500
From:	Aristeu Rozanski <aris@...hedrallabs.org>
To:	Dmitry Torokhov <dmitry.torokhov@...il.com>
Cc:	David Herrmann <dh.herrmann@...glemail.com>,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] uinput strnlen bugfix

On Mon, Feb 07, 2011 at 11:38:48PM -0800, Dmitry Torokhov wrote:
> Input: uinput - use memdup_user() and friends
> 
> From: Dmitry Torokhov <dmitry.torokhov@...il.com>
> 
> Instead of open-coding copying of data structures from userspace use
> memdup_user() and strndup_user(). Note that this introduces change in
> behavior because driver used to truncate 'phys' longer than 1024 bytes,
> but now it will refuse to set 'phys' that long. Arguably trying to set
> such 'phys' is suspect anyways.
> 
> Signed-off-by: Dmitry Torokhov <dtor@...l.ru>
> ---
> 
>  drivers/input/misc/uinput.c |   35 ++++++++++-------------------------
>  1 files changed, 10 insertions(+), 25 deletions(-)
> 
> 
> diff --git a/drivers/input/misc/uinput.c b/drivers/input/misc/uinput.c
> index c0888e3..7f8331f 100644
> --- a/drivers/input/misc/uinput.c
> +++ b/drivers/input/misc/uinput.c
> @@ -361,14 +361,9 @@ static int uinput_setup_device(struct uinput_device *udev, const char __user *bu
>  
>  	dev = udev->dev;
>  
> -	user_dev = kmalloc(sizeof(struct uinput_user_dev), GFP_KERNEL);
> -	if (!user_dev)
> -		return -ENOMEM;
> -
> -	if (copy_from_user(user_dev, buffer, sizeof(struct uinput_user_dev))) {
> -		retval = -EFAULT;
> -		goto exit;
> -	}
> +	user_dev = memdup_user(buffer, sizeof(struct uinput_user_dev));
> +	if (!IS_ERR(user_dev))
> +		return PTR_ERR(user_dev);
>  
>  	udev->ff_effects_max = user_dev->ff_effects_max;
>  
> @@ -621,7 +616,6 @@ static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
>  	struct uinput_ff_upload ff_up;
>  	struct uinput_ff_erase  ff_erase;
>  	struct uinput_request   *req;
> -	int                     length;
>  	char			*phys;
>  
>  	retval = mutex_lock_interruptible(&udev->mutex);
> @@ -688,24 +682,15 @@ static long uinput_ioctl_handler(struct file *file, unsigned int cmd,
>  				retval = -EINVAL;
>  				goto out;
>  			}
> -			length = strnlen_user(p, 1024);
> -			if (length <= 0) {
> -				retval = -EFAULT;
> -				break;
> +
> +			phys = strndup_user(p, 1024);
> +			if (IS_ERR(phys)) {
> +				retval = PTR_ERR(phys);
> +				goto out;
>  			}
> +
>  			kfree(udev->dev->phys);
> -			udev->dev->phys = phys = kmalloc(length, GFP_KERNEL);
> -			if (!phys) {
> -				retval = -ENOMEM;
> -				break;
> -			}
> -			if (copy_from_user(phys, p, length)) {
> -				udev->dev->phys = NULL;
> -				kfree(phys);
> -				retval = -EFAULT;
> -				break;
> -			}
> -			phys[length - 1] = '\0';
> +			udev->dev->phys = phys;
>  			break;
>  
>  		case UI_BEGIN_FF_UPLOAD:
looks good to me
Acked-by: Aristeu Rozanski <aris@...vo.org>

-- 
Aristeu

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ