lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20061029213922.GA8494@osiris.ibm.com>
Date:	Sun, 29 Oct 2006 22:39:22 +0100
From:	Heiko Carstens <heiko.carstens@...ibm.com>
To:	Christoph Hellwig <hch@...radead.org>
Cc:	Andrew Morton <akpm@...l.org>, linux-kernel@...r.kernel.org,
	linux-scsi@...r.kernel.org,
	James Bottomley <James.Bottomley@...eleye.com>
Subject: Re: [patch 5/5] scsi: fix uaccess handling

> While not your fault I'd suggest to fix the __put_user abuse at the same
> time, as in the untested patch below for scsi_ioctl.c:

Makes sense. Even though the whole SCSI_IOCTL_GET_IDLUN ioctl interface
is pretty pointless.
It supports only up to 255 different ids and luns and might return the
same 'dev_id' for two different devices...
Any user space utility that depends on this interface would do the wrong
thing (whatever that would be).

> Index: linux-2.6/drivers/scsi/scsi_ioctl.c
> ===================================================================
> --- linux-2.6.orig/drivers/scsi/scsi_ioctl.c	2006-10-28 13:24:18.000000000 +0200
> +++ linux-2.6/drivers/scsi/scsi_ioctl.c	2006-10-28 13:30:17.000000000 +0200
> @@ -173,6 +173,21 @@
>          return copy_to_user(arg, dev->bus_id, sizeof(dev->bus_id))? -EFAULT: 0;
>  }
>  
> +static int scsi_get_idlun(struct scsi_device *sdev,
> +		struct scsi_idlun __user *arg)
> +{
> +	struct scsi_idlun karg = {
> +		.dev_id		= (sdev->id & 0xff) +
> +			          ((sdev->lun & 0xff) << 8) +
> +				  ((sdev->channel & 0xff) << 16) +
> +				  ((sdev->host->host_no & 0xff) << 24),
> +		.host_unique_id	= sdev->host->unique_id
> +	};
> +
> +	if (copy_to_user(arg, &karg, sizeof(struct scsi_idlun)))
> +		return -EFAULT;
> +	return 0;
> +}
>  
>  /*
>   * the scsi_ioctl() function differs from most ioctls in that it does
> @@ -214,17 +229,7 @@
>  
>  	switch (cmd) {
>  	case SCSI_IOCTL_GET_IDLUN:
> -		if (!access_ok(VERIFY_WRITE, arg, sizeof(struct scsi_idlun)))
> -			return -EFAULT;
> -
> -		__put_user((sdev->id & 0xff)
> -			 + ((sdev->lun & 0xff) << 8)
> -			 + ((sdev->channel & 0xff) << 16)
> -			 + ((sdev->host->host_no & 0xff) << 24),
> -			 &((struct scsi_idlun __user *)arg)->dev_id);
> -		__put_user(sdev->host->unique_id,
> -			 &((struct scsi_idlun __user *)arg)->host_unique_id);
> -		return 0;
> +		return scsi_get_idlun(sdev, arg);
>  	case SCSI_IOCTL_GET_BUS_NUMBER:
>  		return put_user(sdev->host->host_no, (int __user *)arg);
>  	case SCSI_IOCTL_PROBE_HOST:
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ