lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <afaca83a-6ef5-6d48-3c0b-f4403ac86890@icloud.com>
Date:   Wed, 17 Feb 2021 21:57:25 +0530
From:   Pritthijit Nath <pritthijit.nath@...oud.com>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] staging: wlan-ng: Fixed incorrect type warning in
 p80211netdev.c

On 17/02/21 9:23 pm, Greg KH wrote:
> On Wed, Feb 17, 2021 at 09:12:55PM +0530, Pritthijit Nath wrote:
>> This change fixes a sparse warning "incorrect type in argument 1
>> (different address spaces)".
>>
>> Signed-off-by: Pritthijit Nath <pritthijit.nath@...oud.com>
>> ---
>>  drivers/staging/wlan-ng/p80211netdev.c | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/staging/wlan-ng/p80211netdev.c b/drivers/staging/wlan-ng/p80211netdev.c
>> index 6f9666dc0277..70570e8a5ad2 100644
>> --- a/drivers/staging/wlan-ng/p80211netdev.c
>> +++ b/drivers/staging/wlan-ng/p80211netdev.c
>> @@ -569,7 +569,7 @@ static int p80211knetdev_do_ioctl(struct net_device *dev,
>>  		goto bail;
>>  	}
>>  
>> -	msgbuf = memdup_user(req->data, req->len);
>> +	msgbuf = memdup_user((void __user *)req->data, req->len);
> 
> Odd.  Why isn't data tagged as a __user pointer to start with?
> 
> thanks,
> 
> greg k-h
> 

In lines 540-548 ->

...

static int p80211knetdev_do_ioctl(struct net_device *dev,
                                  struct ifreq *ifr, int cmd)
{
        int result = 0;
        struct p80211ioctl_req *req = (struct p80211ioctl_req *)ifr;
        struct wlandevice *wlandev = dev->ml_priv;
        u8 *msgbuf;

        netdev_dbg(dev, "rx'd ioctl, cmd=%d, len=%d\n", cmd, req->len);

...

it can be seen that *req is essentially coming from an explicit cast of *ifr. ifr->data itself is of char* type. So, imo, an explicit __user pointer cast is required. 

The patch above was based on the __user pointer cast done in lines 580-586 ->

...

if (result == 0) {
                if (copy_to_user
                    ((void __user *)req->data, msgbuf, req->len)) {
                        result = -EFAULT;
                }
        }
        kfree(msgbuf);

...

and lines 550-556 ->

#ifdef SIOCETHTOOL
        if (cmd == SIOCETHTOOL) {
                result =
                    p80211netdev_ethtool(wlandev, (void __user *)ifr->ifr_data);
                goto bail;
        }
#endif

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ