| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <F6EA0E6E-A5EB-4096-B80E-6EAA546EFAA0@gmail.com>
Date: Wed, 20 Sep 2017 23:32:33 -0400
From: Meng Xu <mengxu.gatech@...il.com>
To: Al Viro <viro@...IV.linux.org.uk>
Cc: sathya.prakash@...adcom.com, chaitra.basappa@...adcom.com,
suganath-prabu.subramani@...adcom.com, jejb@...ux.vnet.ibm.com,
martin.petersen@...cle.com, MPT-FusionLinux.pdl@...adcom.com,
linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org,
meng.xu@...ech.edu, sanidhya@...ech.edu, taesoo@...ech.edu
Subject: Re: [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check
> On Sep 20, 2017, at 11:26 PM, Al Viro <viro@...IV.linux.org.uk> wrote:
>
> On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote:
>> Since right after the user copy, we are going to
>> memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?
>
> access_ok() is *NOT* "will copy_from_user() succeed?" Not even close.
> On a bunch of architectures (sparc64, for one) access_ok() is always
> true.
>
> All it does is checking that address is not a kernel one - e.g. on
> i386 anything in range 0..3Gb qualifies. Whether anything's mapped
> at that address or not.
>
> Why bother with that copy_from_user() at all? The same ioctl()
> proceeds to copy_to_user() on exact same range; all you get from
> it is "if the area passed by caller is writable, but not readable,
> fail with -EFAULT". Who cares?
>
> Just drop that copy_from_user() completely. Anything access_ok()
> might've caught will be caught by copy_to_user() anyway.
Yes, Christoph has suggested the same thing and I have submitted
another patch with copy_from_user removed entirely.
Powered by blists - more mailing lists