openkylin
/
linux
mirror of https://gitee.com/openkylin/linux.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

net/compat: Fix minor information leak in siocdevprivate_ioctl() 

We don't need to check that ifr_data itself is a valid user pointer,
but we should check &ifr_data is.  Thankfully the copy of ifr_name is
checked, so this can only leak a few bytes from immediately above the
user address limit.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
This commit is contained in:
Ben Hutchings 2013-11-18 17:04:58 +00:00
parent e1bd1dc207
commit 417c3522b3
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
net/socket.c
View File

@ -3015,19 +3015,16 @@ static int siocdevprivate_ioctl(struct net *net, unsigned int cmd,
if (copy_from_user(&tmp_buf[0], &(u_ifreq32->ifr_ifrn.ifrn_name[0]), if (copy_from_user(&tmp_buf[0], &(u_ifreq32->ifr_ifrn.ifrn_name[0]),
IFNAMSIZ)) IFNAMSIZ))
return -EFAULT; return -EFAULT;
if (__get_user(data32, &u_ifreq32->ifr_ifru.ifru_data)) if (get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
return -EFAULT; return -EFAULT;
data64 = compat_ptr(data32); data64 = compat_ptr(data32);
u_ifreq64 = compat_alloc_user_space(sizeof(*u_ifreq64)); u_ifreq64 = compat_alloc_user_space(sizeof(*u_ifreq64));
/* Don't check these user accesses, just let that get trapped
* in the ioctl handler instead.
*/
if (copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0], if (copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0],
IFNAMSIZ)) IFNAMSIZ))
return -EFAULT; return -EFAULT;
if (__put_user(data64, &u_ifreq64->ifr_ifru.ifru_data)) if (put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
return -EFAULT; return -EFAULT;
return dev_ioctl(net, cmd, u_ifreq64); return dev_ioctl(net, cmd, u_ifreq64);