lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100604103840.GD5483@bicker>
Date:	Fri, 4 Jun 2010 12:38:40 +0200
From:	Dan Carpenter <error27@...il.com>
To:	Greg Kroah-Hartman <gregkh@...e.de>
Cc:	Alan Cox <alan@...ux.intel.com>,
	Ben Hutchings <ben@...adent.org.uk>,
	devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org,
	kernel-janitors@...r.kernel.org
Subject: [patch] Staging: sep: return -EFAULT on copy_to_user errors

copy_to_user() returns the number of bytes remaining but we want to
return a negative error code here.  These functions are used in the
ioctl handler and the error code gets returned to userspace.

Signed-off-by: Dan Carpenter <error27@...il.com>

diff --git a/drivers/staging/sep/sep_driver.c b/drivers/staging/sep/sep_driver.c
index 0332c37..ecbde34 100644
--- a/drivers/staging/sep/sep_driver.c
+++ b/drivers/staging/sep/sep_driver.c
@@ -594,8 +594,10 @@ static int sep_allocate_data_pool_memory_handler(struct sep_device *sep,
 	dbg("SEP Driver:--------> sep_allocate_data_pool_memory_handler start\n");
 
 	error = copy_from_user(&command_args, (void *) arg, sizeof(struct sep_driver_alloc_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
 
 	/* allocate memory */
 	if ((sep->data_pool_bytes_allocated + command_args.num_bytes) > SEP_DRIVER_DATA_POOL_SHARED_AREA_SIZE_IN_BYTES) {
@@ -609,8 +611,10 @@ static int sep_allocate_data_pool_memory_handler(struct sep_device *sep,
 
 	/* write the memory back to the user space */
 	error = copy_to_user((void *) arg, (void *) &command_args, sizeof(struct sep_driver_alloc_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
 
 	/* set the allocation */
 	sep->data_pool_bytes_allocated += command_args.num_bytes;
@@ -661,6 +665,8 @@ static int sep_write_into_data_pool_handler(struct sep_device *sep, unsigned lon
 	}
 	/* copy the application data */
 	error = copy_from_user(virt_address, (void *) app_in_address, num_bytes);
+	if (error)
+		error = -EFAULT;
 end_function:
 	dbg("SEP Driver:<-------- sep_write_into_data_pool_handler end\n");
 	return error;
@@ -711,6 +717,8 @@ static int sep_read_from_data_pool_handler(struct sep_device *sep, unsigned long
 
 	/* copy the application data */
 	error = copy_to_user((void *) app_out_address, virt_address, num_bytes);
+	if (error)
+		error = -EFAULT;
 end_function:
 	dbg("SEP Driver:<-------- sep_read_from_data_pool_handler end\n");
 	return error;
@@ -1448,8 +1456,10 @@ static int sep_create_sync_dma_tables_handler(struct sep_device *sep,
 	dbg("SEP Driver:--------> sep_create_sync_dma_tables_handler start\n");
 
 	error = copy_from_user(&command_args, (void *) arg, sizeof(struct sep_driver_build_sync_table_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
 
 	edbg("app_in_address is %08lx\n", command_args.app_in_address);
 	edbg("app_out_address is %08lx\n", command_args.app_out_address);
@@ -1799,8 +1809,10 @@ static int sep_create_flow_dma_tables_handler(struct sep_device *sep,
 		goto end_function;
 
 	error = copy_from_user(&command_args, (void *) arg, sizeof(struct sep_driver_build_flow_table_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
 
 	/* create flow tables */
 	error = sep_prepare_flow_dma_tables(sep, command_args.num_virtual_buffers, command_args.virt_buff_data_addr, flow_context_ptr, &first_table_data, &last_table_data, command_args.isKernelVirtualAddress);
@@ -1819,8 +1831,10 @@ static int sep_create_flow_dma_tables_handler(struct sep_device *sep,
 
 	/* send the parameters to user application */
 	error = copy_to_user((void *) arg, &command_args, sizeof(struct sep_driver_build_flow_table_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function_with_error;
+	}
 
 	/* all the flow created  - update the flow entry with temp id */
 	flow_context_ptr->flow_id = SEP_TEMP_FLOW_ID;
@@ -1861,8 +1875,10 @@ static int sep_add_flow_tables_handler(struct sep_device *sep, unsigned long arg
 
 	/* get input parameters */
 	error = copy_from_user(&command_args, (void *) arg, sizeof(struct sep_driver_add_flow_table_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
 
 	/* find the flow structure for the flow id */
 	flow_context_ptr = sep_find_flow_context(sep, command_args.flow_id);
@@ -1933,6 +1949,8 @@ static int sep_add_flow_tables_handler(struct sep_device *sep, unsigned long arg
 
 	/* send the parameters to user application */
 	error = copy_to_user((void *) arg, &command_args, sizeof(struct sep_driver_add_flow_table_t));
+	if (error)
+		error = -EFAULT;
 end_function_with_error:
 	/* free the allocated tables */
 	sep_deallocated_flow_tables(&first_table_data);
@@ -1953,8 +1971,10 @@ static int sep_add_flow_tables_message_handler(struct sep_device *sep, unsigned
 	dbg("SEP Driver:--------> sep_add_flow_tables_message_handler start\n");
 
 	error = copy_from_user(&command_args, (void *) arg, sizeof(struct sep_driver_add_message_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
 
 	/* check input */
 	if (command_args.message_size_in_bytes > SEP_MAX_ADD_MESSAGE_LENGTH_IN_BYTES) {
@@ -1970,6 +1990,8 @@ static int sep_add_flow_tables_message_handler(struct sep_device *sep, unsigned
 	/* copy the message into context */
 	flow_context_ptr->message_size_in_bytes = command_args.message_size_in_bytes;
 	error = copy_from_user(flow_context_ptr->message, (void *) command_args.message_address, command_args.message_size_in_bytes);
+	if (error)
+		error = -EFAULT;
 end_function:
 	dbg("SEP Driver:<-------- sep_add_flow_tables_message_handler end\n");
 	return error;
@@ -1994,6 +2016,8 @@ static int sep_get_static_pool_addr_handler(struct sep_device *sep, unsigned lon
 
 	/* send the parameters to user application */
 	error = copy_to_user((void *) arg, &command_args, sizeof(struct sep_driver_static_pool_addr_t));
+	if (error)
+		error = -EFAULT;
 	dbg("SEP Driver:<-------- sep_get_static_pool_addr_handler end\n");
 	return error;
 }
@@ -2010,8 +2034,10 @@ static int sep_get_physical_mapped_offset_handler(struct sep_device *sep, unsign
 	dbg("SEP Driver:--------> sep_get_physical_mapped_offset_handler start\n");
 
 	error = copy_from_user(&command_args, (void *) arg, sizeof(struct sep_driver_get_mapped_offset_t));
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
 
 	if (command_args.physical_address < sep->shared_bus) {
 		error = -EINVAL;
@@ -2025,6 +2051,8 @@ static int sep_get_physical_mapped_offset_handler(struct sep_device *sep, unsign
 
 	/* send the parameters to user application */
 	error = copy_to_user((void *) arg, &command_args, sizeof(struct sep_driver_get_mapped_offset_t));
+	if (error)
+		error = -EFAULT;
 end_function:
 	dbg("SEP Driver:<-------- sep_get_physical_mapped_offset_handler end\n");
 	return error;
@@ -2070,11 +2098,11 @@ static int sep_init_handler(struct sep_device *sep, unsigned long arg)
 	error = 0;
 
 	error = copy_from_user(&command_args, (void *) arg, sizeof(struct sep_driver_init_t));
-
-	dbg("SEP Driver:--------> sep_init_handler - finished copy_from_user \n");
-
-	if (error)
+	if (error) {
+		error = -EFAULT;
 		goto end_function;
+	}
+	dbg("SEP Driver:--------> sep_init_handler - finished copy_from_user\n");
 
 	/* PATCH - configure the DMA to single -burst instead of multi-burst */
 	/*sep_configure_dma_burst(); */
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ