lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090304101201.GA31239@elte.hu>
Date:	Wed, 4 Mar 2009 11:12:01 +0100
From:	Ingo Molnar <mingo@...e.hu>
To:	Steven Rostedt <rostedt@...dmis.org>
Cc:	LKML <linux-kernel@...r.kernel.org>, Theodore Tso <tytso@....edu>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Peter Zijlstra <peterz@...radead.org>,
	Frederic Weisbecker <fweisbec@...il.com>,
	Arjan van de Ven <arjan@...radead.org>,
	Pekka Paalanen <pq@....fi>,
	Arnaldo Carvalho de Melo <acme@...hat.com>,
	"H. Peter Anvin" <hpa@...or.com>,
	Mathieu Desnoyers <compudj@...stal.dyndns.org>,
	Martin Bligh <mbligh@...gle.com>,
	"Frank Ch. Eigler" <fche@...hat.com>,
	Tom Zanussi <tzanussi@...il.com>,
	Masami Hiramatsu <mhiramat@...hat.com>,
	KOSAKI Motohiro <kosaki.motohiro@...fujitsu.com>,
	Jason Baron <jbaron@...hat.com>,
	Christoph Hellwig <hch@...radead.org>,
	Jiaying Zhang <jiayingz@...gle.com>,
	Eduard - Gabriel Munteanu <eduard.munteanu@...ux360.ro>,
	mrubin@...gle.com, md@...gle.com,
	Steven Rostedt <srostedt@...hat.com>
Subject: Re: [PATCH] fs: make simple_read_from_buffer conventional


* Steven Rostedt <rostedt@...dmis.org> wrote:

> Impact: have simple_read_from_buffer conform to standards
> 
> It was brought to my attention by Andrew Morton, Theodore Tso,
> and H. Peter Anvin that a read from userspace should only return
> -EFAULT if nothing was actually read.
> 
> Looking at the simple_read_from_buffer I noticed that this function
> does not conform to that rule. This patch fixes that function.
> 
> Signed-off-by: Steven Rostedt <srostedt@...hat.com>
> 
> diff --git a/fs/libfs.c b/fs/libfs.c
> index 49b4409..6a72298 100644
> --- a/fs/libfs.c
> +++ b/fs/libfs.c
> @@ -525,14 +525,20 @@ ssize_t simple_read_from_buffer(void __user *to, size_t count, loff_t *ppos,
>  				const void *from, size_t available)
>  {
>  	loff_t pos = *ppos;
> +	size_t ret;
> +
>  	if (pos < 0)
>  		return -EINVAL;
>  	if (pos >= available)
>  		return 0;
>  	if (count > available - pos)
>  		count = available - pos;
> -	if (copy_to_user(to, from + pos, count))
> -		return -EFAULT;
> +	ret = copy_to_user(to, from + pos, count);
> +	if (ret) {
> +		if (ret == count)
> +			return -EFAULT;
> +		count -= ret;
> +	}

Btw., the git grep result below shows 160 usage sites all across 
the kernel, so this bug affects a lot of existing debugfs users.

	Ingo

arch/cris/kernel/profile.c:	ret = simple_read_from_buffer(buf, count, ppos, sample_buffer,
arch/ia64/kernel/salinfo.c:	return simple_read_from_buffer(buffer, count, ppos, buf, bufsize);
arch/powerpc/kernel/proc_ppc64.c:	return simple_read_from_buffer(buf, nbytes, ppos, dp->data, dp->size);
arch/powerpc/platforms/cell/spufs/file.c:	ret = simple_read_from_buffer(buf, len, ppos, attr->get_buf, size);
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buffer, size, pos, local_store,
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buffer, size, pos,
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buffer, size, pos,
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buf, len, pos, &data, sizeof data);
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buf, len, pos, &data,
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buf, len, pos, &info,
arch/powerpc/platforms/cell/spufs/file.c:	return simple_read_from_buffer(buf, len, pos, &info,
arch/s390/hypfs/inode.c:	ret = simple_read_from_buffer(buf, count, &offset, data, strlen(data));
arch/um/drivers/mmapper_kern.c:	return simple_read_from_buffer(buf, count, ppos, v_buf, mmapper_size);
arch/x86/xen/debugfs.c:	return simple_read_from_buffer(buf, len, ppos, file->private_data, size);
drivers/acpi/system.c:	res = simple_read_from_buffer(buffer, count, ppos, dsdt, dsdt->length);
drivers/acpi/system.c:	res = simple_read_from_buffer(buffer, count, ppos, fadt, fadt->length);
drivers/char/nwflash.c:	ret = simple_read_from_buffer(buf, size, ppos, (void *)FLASH_BASE, gbFlashSize);
drivers/idle/i7300_idle.c:	return simple_read_from_buffer(ubuf, count, off, buf, len);
drivers/infiniband/hw/ipath/ipath_fs.c:	return simple_read_from_buffer(buf, count, ppos, &ipath_stats,
drivers/infiniband/hw/ipath/ipath_fs.c:	return simple_read_from_buffer(buf, count, ppos, &counters,
drivers/isdn/hysdn/hysdn_procconf.c:	return simple_read_from_buffer(buf, count, off, cp, strlen(cp));
drivers/media/dvb/ttusb-budget/dvb-ttusb-budget.c:	return simple_read_from_buffer(buf, count, offset, stc_firmware, 8192);
drivers/media/video/cafe_ccic.c:	return simple_read_from_buffer(buf, count, ppos, cafe_debug_buf,
drivers/media/video/cafe_ccic.c:	return simple_read_from_buffer(buf, count, ppos, cafe_debug_buf,
drivers/net/wimax/i2400m/debugfs.c:	return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
drivers/net/wimax/i2400m/debugfs.c:	return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
drivers/net/wireless/airo.c:	return simple_read_from_buffer(buffer, len, offset, priv->rbuffer,
drivers/net/wireless/ath5k/debug.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, 19);
drivers/net/wireless/ath5k/debug.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, len);
drivers/net/wireless/ath5k/debug.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, len);
drivers/net/wireless/ath9k/debug.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, len);
drivers/net/wireless/ath9k/debug.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, len);
drivers/net/wireless/b43/debugfs.c:	ret = simple_read_from_buffer(userbuf, count, ppos,
drivers/net/wireless/b43legacy/debugfs.c:	ret = simple_read_from_buffer(userbuf, count, ppos,
drivers/net/wireless/iwlwifi/iwl-3945-rs.c:	return simple_read_from_buffer(user_buf, count, ppos, buff, desc);
drivers/net/wireless/iwlwifi/iwl-agn-rs.c:	return simple_read_from_buffer(user_buf, count, ppos, buff, desc);
drivers/net/wireless/iwlwifi/iwl-agn-rs.c:	return simple_read_from_buffer(user_buf, count, ppos, buff, desc);
drivers/net/wireless/iwlwifi/iwl-debugfs.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, pos);
drivers/net/wireless/iwlwifi/iwl-debugfs.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, pos);
drivers/net/wireless/iwlwifi/iwl-debugfs.c:	ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
drivers/net/wireless/iwlwifi/iwl-debugfs.c:	ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
drivers/net/wireless/iwlwifi/iwl-debugfs.c:	ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
drivers/net/wireless/iwlwifi/iwl-debugfs.c:	ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	res = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	res = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	ret = simple_read_from_buffer(userbuf, count, ppos, buf, pos);
drivers/net/wireless/libertas/debugfs.c:	res = simple_read_from_buffer(userbuf, count, ppos, p, pos);
drivers/oprofile/oprofilefs.c:	return simple_read_from_buffer(buf, count, offset, str, strlen(str));
drivers/oprofile/oprofilefs.c:	return simple_read_from_buffer(buf, count, offset, tmpbuf, maxlen);
drivers/pci/hotplug/cpqphp_sysfs.c:	return simple_read_from_buffer(buf, nbytes, ppos, dbg->data, dbg->size);
drivers/s390/char/vmcp.c:	ret = simple_read_from_buffer(buff, count, ppos,
drivers/s390/char/zcore.c:	return simple_read_from_buffer(buf, count, ppos, filp->private_data,
drivers/scsi/lpfc/lpfc_debugfs.c:	return simple_read_from_buffer(buf, nbytes, ppos, debug->buffer,
drivers/usb/gadget/atmel_usba_udc.c:	ret = simple_read_from_buffer(buf, nbytes, ppos,
drivers/usb/host/ehci-dbg.c:	ret = simple_read_from_buffer(user_buf, len, offset,
drivers/usb/host/ohci-dbg.c:	ret = simple_read_from_buffer(user_buf, len, offset,
drivers/usb/host/uhci-debug.c:	return simple_read_from_buffer(buf, nbytes, ppos, up->data, up->size);
drivers/usb/misc/idmouse.c:	result = simple_read_from_buffer(buffer, count, ppos,
drivers/usb/mon/mon_stat.c:	return simple_read_from_buffer(buf, nbytes, ppos, sp->str, sp->slen);
drivers/video/mbx/mbxdebugfs.c:	return  simple_read_from_buffer(userbuf, count, ppos,
drivers/video/mbx/mbxdebugfs.c:	return  simple_read_from_buffer(userbuf, count, ppos,
drivers/video/mbx/mbxdebugfs.c:	return  simple_read_from_buffer(userbuf, count, ppos,
drivers/video/mbx/mbxdebugfs.c:	return  simple_read_from_buffer(userbuf, count, ppos,
drivers/video/mbx/mbxdebugfs.c:	return  simple_read_from_buffer(userbuf, count, ppos,
drivers/video/mbx/mbxdebugfs.c:	return  simple_read_from_buffer(userbuf, count, ppos,
fs/binfmt_misc.c:	res = simple_read_from_buffer(buf, nbytes, ppos, page, strlen(page));
fs/binfmt_misc.c:	return simple_read_from_buffer(buf, nbytes, ppos, s, strlen(s));
fs/configfs/file.c:	retval = simple_read_from_buffer(buf, count, ppos, buffer->page,
fs/debugfs/file.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
fs/debugfs/file.c:	return simple_read_from_buffer(user_buf, count, ppos, blob->data,
fs/dlm/debug_fs.c:	rv = simple_read_from_buffer(userbuf, count, ppos, debug_buf, pos);
fs/fuse/control.c:	return simple_read_from_buffer(buf, len, ppos, tmp, size);
fs/libfs.c: * simple_read_from_buffer - copy data from the buffer to user space
fs/libfs.c: * The simple_read_from_buffer() function reads up to @count bytes from the
fs/libfs.c:ssize_t simple_read_from_buffer(void __user *to, size_t count, loff_t *ppos,
fs/libfs.c:	return simple_read_from_buffer(buf, size, pos, ar->data, ar->size);
fs/libfs.c:	ret = simple_read_from_buffer(buf, len, ppos, attr->get_buf, size);
fs/libfs.c:EXPORT_SYMBOL(simple_read_from_buffer);
fs/ocfs2/dlm/dlmdebug.c:	return simple_read_from_buffer(buf, nbytes, ppos, db->buf, db->len);
fs/ocfs2/localalloc.c:	ret = simple_read_from_buffer(userbuf, count, ppos, buf, written);
fs/ocfs2/stack_user.c:	ret = simple_read_from_buffer(buf, count, ppos,
fs/proc/base.c:		length = simple_read_from_buffer(buf, count, ppos, (char *)page, length);
fs/proc/base.c:	return simple_read_from_buffer(buf, count, ppos, buffer, len);
fs/proc/base.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
fs/proc/base.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
fs/proc/base.c:	return simple_read_from_buffer(buf, count, ppos, buffer, len);
fs/proc/base.c:		err = simple_read_from_buffer(buf, len, ppos, tmp, strlen(tmp));
fs/proc/base.c:		length = simple_read_from_buffer(buf, count, ppos, p, length);
fs/proc/base.c:		ret = simple_read_from_buffer(buf, count, ppos, buffer, len);
fs/sysfs/file.c:	retval = simple_read_from_buffer(buf, count, ppos, buffer->page,
include/linux/fs.h:extern ssize_t simple_read_from_buffer(void __user *to, size_t count,
ipc/mqueue.c:	ret = simple_read_from_buffer(u_data, count, off, buffer,
kernel/cgroup.c:	return simple_read_from_buffer(buf, nbytes, ppos, tmp, len);
kernel/cgroup.c:	return simple_read_from_buffer(buf, nbytes, ppos, tmp, len);
kernel/configs.c:	return simple_read_from_buffer(buf, len, offset,
kernel/cpuset.c:	retval = simple_read_from_buffer(buf, nbytes, ppos, page, s - page);
kernel/kprobes.c:	return simple_read_from_buffer(user_buf, count, ppos, buf, 2);
kernel/rcupreempt_trace.c:	bcount = simple_read_from_buffer(buffer, count, ppos,
kernel/rcupreempt_trace.c:	bcount = simple_read_from_buffer(buffer, count, ppos,
kernel/rcupreempt_trace.c:	bcount = simple_read_from_buffer(buffer, count, ppos,
kernel/res_counter.c:	return simple_read_from_buffer((void __user *)userbuf, nbytes,
kernel/trace/blktrace.c:	return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
kernel/trace/ftrace.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/ring_buffer.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace.c:	count = simple_read_from_buffer(ubuf, count, ppos, mask_str, NR_CPUS+1);
kernel/trace/trace.c:	r = simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace.c:	return simple_read_from_buffer(ubuf, cnt, ppos,
kernel/trace/trace.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace.c:	r = simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, 2);
kernel/trace/trace.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, 2);
kernel/trace/trace_events.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, 2);
kernel/trace/trace_events.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace_events.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
kernel/trace/trace_events.c:		r = simple_read_from_buffer(ubuf, cnt, ppos,
kernel/trace/trace_events.c:	r = simple_read_from_buffer(ubuf, cnt, ppos,
kernel/trace/trace_stack.c:	return simple_read_from_buffer(ubuf, count, ppos, buf, r);
kernel/trace/trace_sysprof.c:	return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
net/mac80211/debugfs.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, res);	\
net/mac80211/debugfs.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, res);
net/mac80211/debugfs_key.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, res);	\
net/mac80211/debugfs_key.c:	return simple_read_from_buffer(userbuf, count, ppos, alg, strlen(alg));
net/mac80211/debugfs_key.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, len);
net/mac80211/debugfs_key.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, len);
net/mac80211/debugfs_key.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, len);
net/mac80211/debugfs_key.c:	res = simple_read_from_buffer(userbuf, count, ppos, buf, p - buf);
net/mac80211/debugfs_netdev.c:		ret = simple_read_from_buffer(userbuf, count, ppos, buf, ret);
net/mac80211/debugfs_sta.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, res);	\
net/mac80211/debugfs_sta.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, res);
net/mac80211/debugfs_sta.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, res);
net/mac80211/debugfs_sta.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, res);
net/mac80211/debugfs_sta.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, p - buf);
net/mac80211/debugfs_sta.c:	return simple_read_from_buffer(userbuf, count, ppos, buf, p - buf);
net/mac80211/rate.c:	return simple_read_from_buffer(userbuf, count, ppos,
net/sunrpc/sysctl.c:	return simple_read_from_buffer(buffer, *lenp, ppos, tmpbuf, len);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/selinux/selinuxfs.c:	ret = simple_read_from_buffer(buf, count, ppos, page, length);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/selinux/selinuxfs.c:		ret = simple_read_from_buffer(buf, count, ppos, page, ret);
security/selinux/selinuxfs.c:	ret = simple_read_from_buffer(buf, count, ppos, con, len);
security/selinux/selinuxfs.c:	rc = simple_read_from_buffer(buf, count, ppos, page, len);
security/selinux/selinuxfs.c:	rc = simple_read_from_buffer(buf, count, ppos, page, len);
security/selinux/selinuxfs.c:	return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
security/smack/smackfs.c:	rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
security/smack/smackfs.c:	rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
security/smack/smackfs.c:		rc = simple_read_from_buffer(buf, cn, ppos,
security/smack/smackfs.c:		rc = simple_read_from_buffer(buf, cn, ppos, smack, asize);
sound/soc/soc-core.c:		ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ