| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20081231180759X.fujita.tomonori@lab.ntt.co.jp>
Date: Wed, 31 Dec 2008 18:08:02 +0900
From: FUJITA Tomonori <fujita.tomonori@....ntt.co.jp>
To: akpm@...ux-foundation.org
Cc: alexey.zaytsev@...il.com, jens.axboe@...cle.com,
linux-kernel@...r.kernel.org, linux-scsi@...r.kernel.org,
James.Bottomley@...senPartnership.com
Subject: Re: [PATCH] Fix sg_io_hdr.info corruption.
On Tue, 30 Dec 2008 15:46:03 -0800
Andrew Morton <akpm@...ux-foundation.org> wrote:
> On Sun, 28 Dec 2008 17:50:35 +0300
> Alexey Zaytsev <alexey.zaytsev@...il.com> wrote:
>
> > sizeof(unsigned (short)) is actually sizeof(function), == 1.
> > Spotted by sparse.
> >
> > Signed-off-by: Alexey Zaytsev <alexey.zaytsev@...il.com>
> > ---
> > fs/compat_ioctl.c | 2 +-
> > 1 files changed, 1 insertions(+), 1 deletions(-)
> >
> > diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
> > index 5235c67..7c2d617 100644
> > --- a/fs/compat_ioctl.c
> > +++ b/fs/compat_ioctl.c
> > @@ -784,7 +784,7 @@ static int sg_ioctl_trans(unsigned int fd, unsigned int cmd, unsigned long arg)
> >
> > if (copy_in_user(&sgio->status, &sgio32->status,
> > (4 * sizeof(unsigned char)) +
> > - (2 * sizeof(unsigned (short))) +
> > + (2 * sizeof(unsigned short)) +
> > (3 * sizeof(int))))
> > return -EFAULT;
>
> gack.
>
> akpm:/home/akpm> cat t.c
> main()
> {
> printf("%d\n", sizeof(unsigned (short)));
> printf("%d\n", sizeof(unsigned short));
> }
> akpm:/home/akpm> ./a.out
> 1
> 2
>
>
> the code has been like this for years and years. Why hasn't anyone
> noticed?
The members from 'status' in struct sg_io_hdr to the last are used to
transfer information from kernel to user space. The values that user
space sets are just ignored.
typedef struct sg_io_hdr
{
int interface_id; /* [i] 'S' for SCSI generic (required) */
int dxfer_direction; /* [i] data transfer direction */
unsigned char cmd_len; /* [i] SCSI command length ( <= 16 bytes) */
unsigned char mx_sb_len; /* [i] max length to write to sbp */
unsigned short iovec_count; /* [i] 0 implies no scatter gather */
unsigned int dxfer_len; /* [i] byte count of data transfer */
void __user *dxferp; /* [i], [*io] points to data transfer memory
or scatter gather list */
unsigned char __user *cmdp; /* [i], [*i] points to command to perform */
void __user *sbp; /* [i], [*o] points to sense_buffer memory */
unsigned int timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */
unsigned int flags; /* [i] 0 -> default, see SG_FLAG... */
int pack_id; /* [i->o] unused internally (normally) */
void __user * usr_ptr; /* [i->o] unused internally */
unsigned char status; /* [o] scsi status */
unsigned char masked_status;/* [o] shifted, masked scsi status */
unsigned char msg_status; /* [o] messaging level data (optional) */
unsigned char sb_len_wr; /* [o] byte count actually written to sbp */
unsigned short host_status; /* [o] errors from host adapter */
unsigned short driver_status;/* [o] errors from software driver */
int resid; /* [o] dxfer_len - actual_transferred */
unsigned int duration; /* [o] time taken by cmd (unit: millisec) */
unsigned int info; /* [o] auxiliary information */
} sg_io_hdr_t; /* 64 bytes long (on i386) */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists