All of lore.kernel.org
 help / color / mirror / Atom feed
From: Francois Romieu <romieu@fr.zoreil.com>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-kernel@vger.kernel.org, torvalds@osdl.org
Subject: [PATCH] 2.6.0-test1-after-alan-s-patch - Unchecked copy_to_user disturb harmony
Date: Fri, 18 Jul 2003 23:31:35 +0200	[thread overview]
Message-ID: <20030718233135.B780@electric-eye.fr.zoreil.com> (raw)
In-Reply-To: <200307181431.h6IEV7Sm017874@hraefn.swansea.linux.org.uk>; from alan@lxorguk.ukuu.org.uk on Fri, Jul 18, 2003 at 03:31:07PM +0100


Assortment of unchecked copy_to_user().

Afaiks, the wild return statement in harmony_audio_write() don't add
extra leak (or whatever).


 sound/oss/harmony.c |   33 ++++++++++++++++++++++-----------
 1 files changed, 22 insertions(+), 11 deletions(-)

diff -puN sound/oss/harmony.c~janitor-copy_to_user-harmony sound/oss/harmony.c
--- linux-2.6.0-test1-20030718_0517/sound/oss/harmony.c~janitor-copy_to_user-harmony	Fri Jul 18 22:58:28 2003
+++ linux-2.6.0-test1-20030718_0517-fr/sound/oss/harmony.c	Fri Jul 18 23:28:32 2003
@@ -442,9 +442,12 @@ static ssize_t harmony_audio_read(struct
 		buf_to_read = harmony.first_filled_record;
 
 		/* Copy the page to an aligned buffer */
-		copy_to_user(buffer+count, 
-			     recorded_buf.addr+(HARMONY_BUF_SIZE*buf_to_read), 
-			     HARMONY_BUF_SIZE);
+		if (copy_to_user(buffer+count, recorded_buf.addr +
+				 (HARMONY_BUF_SIZE*buf_to_read),
+				 HARMONY_BUF_SIZE)) {
+			count = -EFAULT;
+			break;
+		}
 		
 		harmony.nb_filled_record--;
 		harmony.first_filled_record++;
@@ -474,13 +477,16 @@ static ssize_t harmony_audio_read(struct
 #define test_rate(tested,real_value,harmony_value) if ((tested)<=(real_value))\
                                                     
 
-static void harmony_format_auto_detect(const char *buffer, int block_size)
+static int harmony_format_auto_detect(const char *buffer, int block_size)
 {
 	u8 file_header[24];
 	u32 start_string;
+	int ret = 0;
 	
 	if (block_size>24) {
-		copy_from_user(file_header, buffer, sizeof(file_header));
+		if (copy_from_user(file_header, buffer, sizeof(file_header)))
+			ret = -EFAULT;
+			
 		start_string = four_bytes_to_u32(0);
 		
 		if ((file_header[4]==0) && (start_string==0x2E736E64)) {
@@ -505,7 +511,7 @@ static void harmony_format_auto_detect(c
 			default:
 				harmony_set_control(HARMONY_DF_16BIT_LINEAR,
 						HARMONY_SR_44KHZ, HARMONY_SS_STEREO);
-				return;
+				goto out;
 			}
 			switch (nb_voices) {
 			case HARMONY_MAGIC_MONO:
@@ -520,10 +526,12 @@ static void harmony_format_auto_detect(c
 			}
 			harmony_set_rate(harmony_detect_rate(&speed));
 			harmony.dac_rate = speed;
-			return;			
+			goto out;
 		}
 	}
 	harmony_set_control(HARMONY_DF_8BIT_ULAW, HARMONY_SR_8KHZ, HARMONY_SS_MONO);
+out:
+	return ret;
 }
 #undef four_bytes_to_u32
 
@@ -538,8 +546,10 @@ static ssize_t harmony_audio_write(struc
 	int frame_size;
 	int buf_to_fill;
 
-	if (!harmony.format_initialized) 
-	   harmony_format_auto_detect(buffer, total_count);
+	if (!harmony.format_initialized) {
+		if (harmony_format_auto_detect(buffer, total_count))
+			return -EFAULT;
+	}
 	
 	while (count<total_count) {
 		/* Wait until we're out of control mode */
@@ -573,8 +583,9 @@ static ssize_t harmony_audio_write(struc
 		}
 
 		/* Copy the page to an aligned buffer */
-		copy_from_user(played_buf.addr + (HARMONY_BUF_SIZE*buf_to_fill) + harmony.play_offset, 
-				buffer+count, frame_size);
+		if (copy_from_user(played_buf.addr +(HARMONY_BUF_SIZE*buf_to_fill) + harmony.play_offset, 
+				   buffer+count, frame_size))
+			return -EFAULT;
 		CHECK_WBACK_INV_OFFSET(played_buf, (HARMONY_BUF_SIZE*buf_to_fill + harmony.play_offset), 
 				frame_size);
 	

_

      reply	other threads:[~2003-07-18 21:28 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-07-18 14:31 PATCH: Add Harmony OSS driver Alan Cox
2003-07-18 21:31 ` Francois Romieu [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20030718233135.B780@electric-eye.fr.zoreil.com \
    --to=romieu@fr.zoreil.com \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@osdl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.