| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <28555689.kcgDUFsbsB@vostro.rjw.lan>
Date: Thu, 23 May 2013 01:39 +0200
From: "Rafael J. Wysocki" <rjw@...k.pl>
To: Jiri Slaby <jslaby@...e.cz>
Cc: jirislaby@...il.com, akpm@...ux-foundation.org,
linux-kernel@...r.kernel.org, Vasiliy Kulikov <segooon@...il.com>,
Thomas Renninger <trenn@...e.de>, Len Brown <lenb@...nel.org>,
ACPI Devel Maling List <linux-acpi@...r.kernel.org>
Subject: Re: [PATCH -resend 5/6] acpi: ec_sys: access user space with get_user()/put_user()
On Wednesday, May 22, 2013 02:59:11 PM Jiri Slaby wrote:
> From: Vasiliy Kulikov <segooon@...il.com>
>
> User space pointer may not be dereferenced. Use get_user()/put_user()
> instead and check their return codes.
>
> Signed-off-by: Vasiliy Kulikov <segooon@...il.com>
> Signed-off-by: Thomas Renninger <trenn@...e.de>
> Signed-off-by: Jiri Slaby <jslaby@...e.cz>
> Cc: Len Brown <lenb@...nel.org>
> Cc: "Rafael J. Wysocki" <rjw@...k.pl>
> Cc: linux-acpi@...r.kernel.org
Interesting. It looks like it actually didn't reach linux-acpi.
Anyway, I'm going to queue it up for v3.11.
Thanks,
Rafael
> ---
> drivers/acpi/ec_sys.c | 18 ++++++++++++++----
> 1 file changed, 14 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/acpi/ec_sys.c b/drivers/acpi/ec_sys.c
> index 7586544..4e7b798 100644
> --- a/drivers/acpi/ec_sys.c
> +++ b/drivers/acpi/ec_sys.c
> @@ -12,6 +12,7 @@
> #include <linux/acpi.h>
> #include <linux/debugfs.h>
> #include <linux/module.h>
> +#include <linux/uaccess.h>
> #include "internal.h"
>
> MODULE_AUTHOR("Thomas Renninger <trenn@...e.de>");
> @@ -34,7 +35,6 @@ static ssize_t acpi_ec_read_io(struct file *f, char __user *buf,
> * struct acpi_ec *ec = ((struct seq_file *)f->private_data)->private;
> */
> unsigned int size = EC_SPACE_SIZE;
> - u8 *data = (u8 *) buf;
> loff_t init_off = *off;
> int err = 0;
>
> @@ -47,9 +47,15 @@ static ssize_t acpi_ec_read_io(struct file *f, char __user *buf,
> size = count;
>
> while (size) {
> - err = ec_read(*off, &data[*off - init_off]);
> + u8 byte_read;
> + err = ec_read(*off, &byte_read);
> if (err)
> return err;
> + if (put_user(byte_read, buf + *off - init_off)) {
> + if (*off - init_off)
> + return *off - init_off; /* partial read */
> + return -EFAULT;
> + }
> *off += 1;
> size--;
> }
> @@ -65,7 +71,6 @@ static ssize_t acpi_ec_write_io(struct file *f, const char __user *buf,
>
> unsigned int size = count;
> loff_t init_off = *off;
> - u8 *data = (u8 *) buf;
> int err = 0;
>
> if (*off >= EC_SPACE_SIZE)
> @@ -76,7 +81,12 @@ static ssize_t acpi_ec_write_io(struct file *f, const char __user *buf,
> }
>
> while (size) {
> - u8 byte_write = data[*off - init_off];
> + u8 byte_write;
> + if (get_user(byte_write, buf + *off - init_off)) {
> + if (*off - init_off)
> + return *off - init_off; /* partial write */
> + return -EFAULT;
> + }
> err = ec_write(*off, byte_write);
> if (err)
> return err;
>
--
I speak only for myself.
Rafael J. Wysocki, Intel Open Source Technology Center.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists