| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Feb 2021 21:57:25 +0530
From: Pritthijit Nath <pritthijit.nath@...oud.com>
To: Greg KH <gregkh@...uxfoundation.org>
Cc: devel@...verdev.osuosl.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] staging: wlan-ng: Fixed incorrect type warning in
p80211netdev.c
On 17/02/21 9:23 pm, Greg KH wrote:
> On Wed, Feb 17, 2021 at 09:12:55PM +0530, Pritthijit Nath wrote:
>> This change fixes a sparse warning "incorrect type in argument 1
>> (different address spaces)".
>>
>> Signed-off-by: Pritthijit Nath <pritthijit.nath@...oud.com>
>> ---
>> drivers/staging/wlan-ng/p80211netdev.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/staging/wlan-ng/p80211netdev.c b/drivers/staging/wlan-ng/p80211netdev.c
>> index 6f9666dc0277..70570e8a5ad2 100644
>> --- a/drivers/staging/wlan-ng/p80211netdev.c
>> +++ b/drivers/staging/wlan-ng/p80211netdev.c
>> @@ -569,7 +569,7 @@ static int p80211knetdev_do_ioctl(struct net_device *dev,
>> goto bail;
>> }
>>
>> - msgbuf = memdup_user(req->data, req->len);
>> + msgbuf = memdup_user((void __user *)req->data, req->len);
>
> Odd. Why isn't data tagged as a __user pointer to start with?
>
> thanks,
>
> greg k-h
>
In lines 540-548 ->
...
static int p80211knetdev_do_ioctl(struct net_device *dev,
struct ifreq *ifr, int cmd)
{
int result = 0;
struct p80211ioctl_req *req = (struct p80211ioctl_req *)ifr;
struct wlandevice *wlandev = dev->ml_priv;
u8 *msgbuf;
netdev_dbg(dev, "rx'd ioctl, cmd=%d, len=%d\n", cmd, req->len);
...
it can be seen that *req is essentially coming from an explicit cast of *ifr. ifr->data itself is of char* type. So, imo, an explicit __user pointer cast is required.
The patch above was based on the __user pointer cast done in lines 580-586 ->
...
if (result == 0) {
if (copy_to_user
((void __user *)req->data, msgbuf, req->len)) {
result = -EFAULT;
}
}
kfree(msgbuf);
...
and lines 550-556 ->
#ifdef SIOCETHTOOL
if (cmd == SIOCETHTOOL) {
result =
p80211netdev_ethtool(wlandev, (void __user *)ifr->ifr_data);
goto bail;
}
#endif
Powered by blists - more mailing lists