lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <1403422178-20833-1-git-send-email-shack@linux.com> Date: Sun, 22 Jun 2014 03:29:38 -0400 From: James A Shackleford <shack@...ux.com> To: gregkh@...uxfoundation.org, alan@...ux.intel.com, devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org Cc: James A Shackleford <shack@...ux.com> Subject: [PATCH] staging: goldfish: fix direct copy_to_user() from __iomem This patch allocates a few pages and performs an ioread8_rep() from the bus address, which are then copied to userspace. This fixes the sparse warning: drivers/staging/goldfish/goldfish_audio.c:136:43: warning: incorrect type in argument 2 (different address spaces) drivers/staging/goldfish/goldfish_audio.c:136:43: expected void const *from drivers/staging/goldfish/goldfish_audio.c:136:43: got char [noderef] <asn:2>*read_buffer which was a result of performing a copy_to_user() directly from the bus address to the userspace, which can be unsafe across some architectures. Signed-off-by: James A Shackleford <shack@...ux.com> --- drivers/staging/goldfish/goldfish_audio.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/drivers/staging/goldfish/goldfish_audio.c b/drivers/staging/goldfish/goldfish_audio.c index a166424..535ed20 100644 --- a/drivers/staging/goldfish/goldfish_audio.c +++ b/drivers/staging/goldfish/goldfish_audio.c @@ -118,10 +118,17 @@ static ssize_t goldfish_audio_read(struct file *fp, char __user *buf, struct goldfish_audio *data = fp->private_data; int length; int result = 0; + unsigned int order; + void *read_buffer; if (!data->read_supported) return -ENODEV; + order = get_order(READ_BUFFER_SIZE); + read_buffer = (void *)__get_free_pages(GFP_KERNEL, order); + if (!read_buffer) + return -ENOMEM; + while (count > 0) { length = (count > READ_BUFFER_SIZE ? READ_BUFFER_SIZE : count); AUDIO_WRITE(data, AUDIO_START_READ, length); @@ -129,17 +136,21 @@ static ssize_t goldfish_audio_read(struct file *fp, char __user *buf, wait_event_interruptible(data->wait, (data->buffer_status & AUDIO_INT_READ_BUFFER_FULL)); - length = AUDIO_READ(data, - AUDIO_READ_BUFFER_AVAILABLE); + length = AUDIO_READ(data, AUDIO_READ_BUFFER_AVAILABLE); /* copy data to user space */ - if (copy_to_user(buf, data->read_buffer, length)) - return -EFAULT; + ioread8_rep(data->read_buffer, read_buffer, length); + if (copy_to_user(buf, read_buffer, length)) { + result = -EFAULT; + goto error; + } result += length; buf += length; count -= length; } +error: + __free_pages(read_buffer, order); return result; } -- 1.7.9.5 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists