* [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
@ 2021-01-22 15:01 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2021-01-22 15:01 UTC (permalink / raw)
To: Rob Springer
Cc: devel, kernel-janitors, Greg Kroah-Hartman, John Joseph,
Simon Que, Richard Yeh, Todd Poynor
The "gasket_dev->num_page_tables" variable is an int but this is copying
sizeof(u64). On 32 bit systems this would end up disclosing a kernel
pointer to user space, but on 64 bit it copies zeroes from a struct
hole.
Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is an API change. Please review this carefully! Another potential
fix would be to make ->num_page_tables a long instead of an int.
drivers/staging/gasket/gasket_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/gasket/gasket_ioctl.c b/drivers/staging/gasket/gasket_ioctl.c
index e3047d36d8db..c4abac35c1ca 100644
--- a/drivers/staging/gasket/gasket_ioctl.c
+++ b/drivers/staging/gasket/gasket_ioctl.c
@@ -318,7 +318,7 @@ long gasket_handle_ioctl(struct file *filp, uint cmd, void __user *argp)
case GASKET_IOCTL_NUMBER_PAGE_TABLES:
trace_gasket_ioctl_integer_data(gasket_dev->num_page_tables);
if (copy_to_user(argp, &gasket_dev->num_page_tables,
- sizeof(uint64_t)))
+ sizeof(gasket_dev->num_page_tables)))
retval = -EFAULT;
else
retval = 0;
--
2.29.2
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
@ 2021-01-22 15:01 ` Dan Carpenter
0 siblings, 0 replies; 8+ messages in thread
From: Dan Carpenter @ 2021-01-22 15:01 UTC (permalink / raw)
To: Rob Springer
Cc: devel, kernel-janitors, Greg Kroah-Hartman, John Joseph,
Simon Que, Richard Yeh, Todd Poynor
The "gasket_dev->num_page_tables" variable is an int but this is copying
sizeof(u64). On 32 bit systems this would end up disclosing a kernel
pointer to user space, but on 64 bit it copies zeroes from a struct
hole.
Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is an API change. Please review this carefully! Another potential
fix would be to make ->num_page_tables a long instead of an int.
drivers/staging/gasket/gasket_ioctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/gasket/gasket_ioctl.c b/drivers/staging/gasket/gasket_ioctl.c
index e3047d36d8db..c4abac35c1ca 100644
--- a/drivers/staging/gasket/gasket_ioctl.c
+++ b/drivers/staging/gasket/gasket_ioctl.c
@@ -318,7 +318,7 @@ long gasket_handle_ioctl(struct file *filp, uint cmd, void __user *argp)
case GASKET_IOCTL_NUMBER_PAGE_TABLES:
trace_gasket_ioctl_integer_data(gasket_dev->num_page_tables);
if (copy_to_user(argp, &gasket_dev->num_page_tables,
- sizeof(uint64_t)))
+ sizeof(gasket_dev->num_page_tables)))
retval = -EFAULT;
else
retval = 0;
--
2.29.2
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
2021-01-22 15:01 ` Dan Carpenter
@ 2021-03-09 13:26 ` Greg Kroah-Hartman
-1 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2021-03-09 13:26 UTC (permalink / raw)
To: Dan Carpenter
Cc: Rob Springer, devel, kernel-janitors, John Joseph, Simon Que,
Richard Yeh, Todd Poynor
On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64). On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
>
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change. Please review this carefully! Another potential
> fix would be to make ->num_page_tables a long instead of an int.
>
> drivers/staging/gasket/gasket_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Looks like this driver is dead, with no response from anyone from
Google.
Should I just delete it? The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree. Even if having it here actually finds
security issues that the authors missed like this :(
So, any objection to me deleting it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
@ 2021-03-09 13:26 ` Greg Kroah-Hartman
0 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2021-03-09 13:26 UTC (permalink / raw)
To: Dan Carpenter
Cc: devel, John Joseph, kernel-janitors, Simon Que, Richard Yeh,
Rob Springer, Todd Poynor
On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64). On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
>
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change. Please review this carefully! Another potential
> fix would be to make ->num_page_tables a long instead of an int.
>
> drivers/staging/gasket/gasket_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Looks like this driver is dead, with no response from anyone from
Google.
Should I just delete it? The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree. Even if having it here actually finds
security issues that the authors missed like this :(
So, any objection to me deleting it?
thanks,
greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* AW: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
2021-03-09 13:26 ` Greg Kroah-Hartman
@ 2021-03-09 16:57 ` Walter Harms
-1 siblings, 0 replies; 8+ messages in thread
From: Walter Harms @ 2021-03-09 16:57 UTC (permalink / raw)
To: Greg Kroah-Hartman, Dan Carpenter
Cc: Rob Springer, devel, kernel-janitors, John Joseph, Simon Que,
Richard Yeh, Todd Poynor
why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?
re,
wh
________________________________________
Von: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gesendet: Dienstag, 9. März 2021 14:26:55
An: Dan Carpenter
Cc: Rob Springer; devel@driverdev.osuosl.org; kernel-janitors@vger.kernel.org; John Joseph; Simon Que; Richard Yeh; Todd Poynor
Betreff: Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64). On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
>
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change. Please review this carefully! Another potential
> fix would be to make ->num_page_tables a long instead of an int.
>
> drivers/staging/gasket/gasket_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Looks like this driver is dead, with no response from anyone from
Google.
Should I just delete it? The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree. Even if having it here actually finds
security issues that the authors missed like this :(
So, any objection to me deleting it?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* AW: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
@ 2021-03-09 16:57 ` Walter Harms
0 siblings, 0 replies; 8+ messages in thread
From: Walter Harms @ 2021-03-09 16:57 UTC (permalink / raw)
To: Greg Kroah-Hartman, Dan Carpenter
Cc: devel, John Joseph, kernel-janitors, Simon Que, Richard Yeh,
Rob Springer, Todd Poynor
why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?
re,
wh
________________________________________
Von: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gesendet: Dienstag, 9. März 2021 14:26:55
An: Dan Carpenter
Cc: Rob Springer; devel@driverdev.osuosl.org; kernel-janitors@vger.kernel.org; John Joseph; Simon Que; Richard Yeh; Todd Poynor
Betreff: Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64). On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
>
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change. Please review this carefully! Another potential
> fix would be to make ->num_page_tables a long instead of an int.
>
> drivers/staging/gasket/gasket_ioctl.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
Looks like this driver is dead, with no response from anyone from
Google.
Should I just delete it? The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree. Even if having it here actually finds
security issues that the authors missed like this :(
So, any objection to me deleting it?
thanks,
greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
2021-03-09 16:57 ` Walter Harms
@ 2021-03-09 17:03 ` Greg Kroah-Hartman
-1 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2021-03-09 17:03 UTC (permalink / raw)
To: Walter Harms
Cc: Dan Carpenter, devel, John Joseph, kernel-janitors, Simon Que,
Richard Yeh, Rob Springer, Todd Poynor
On Tue, Mar 09, 2021 at 04:57:59PM +0000, Walter Harms wrote:
> why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?
We don't really have a "Deprecated" marking, we just delete them :)
thanks,
greg k-h
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()
@ 2021-03-09 17:03 ` Greg Kroah-Hartman
0 siblings, 0 replies; 8+ messages in thread
From: Greg Kroah-Hartman @ 2021-03-09 17:03 UTC (permalink / raw)
To: Walter Harms
Cc: devel, John Joseph, kernel-janitors, Simon Que, Richard Yeh,
Rob Springer, Todd Poynor, Dan Carpenter
On Tue, Mar 09, 2021 at 04:57:59PM +0000, Walter Harms wrote:
> why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?
We don't really have a "Deprecated" marking, we just delete them :)
thanks,
greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-03-09 17:04 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-22 15:01 [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl() Dan Carpenter
2021-01-22 15:01 ` Dan Carpenter
2021-03-09 13:26 ` Greg Kroah-Hartman
2021-03-09 13:26 ` Greg Kroah-Hartman
2021-03-09 16:57 ` AW: " Walter Harms
2021-03-09 16:57 ` Walter Harms
2021-03-09 17:03 ` Greg Kroah-Hartman
2021-03-09 17:03 ` Greg Kroah-Hartman
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.