All of lore.kernel.org
 help / color / mirror / Atom feed
* [patch 1/2] staging/bcm: two information leaks in ioctl
@ 2014-02-17 19:56 Dan Carpenter
  2014-02-17 19:59 ` Dave Jones
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-02-17 19:56 UTC (permalink / raw)
  To: kernel-janitors

There are a couple paths where we don't check how much data we copy back
to the user.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index fdebc3bba0b5..6f1997dc44c8 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -590,6 +590,8 @@ static int bcm_char_ioctl_gpio_multi_request(void __user *argp, struct bcm_mini_
 
 	if (IoBuffer.InputLength > sizeof(gpio_multi_info))
 		return -EINVAL;
+	if (IoBuffer.OutputLength > sizeof(gpio_multi_info))
+		IoBuffer.OutputLength = sizeof(gpio_multi_info);
 
 	if (copy_from_user(&gpio_multi_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
 		return -EFAULT;
@@ -680,6 +682,8 @@ static int bcm_char_ioctl_gpio_mode_request(void __user *argp, struct bcm_mini_a
 
 	if (IoBuffer.InputLength > sizeof(gpio_multi_mode))
 		return -EINVAL;
+	if (IoBuffer.OutputLength > sizeof(gpio_multi_mode))
+		IoBuffer.OutputLength = sizeof(gpio_multi_mode);
 
 	if (copy_from_user(&gpio_multi_mode, IoBuffer.InputBuffer, IoBuffer.InputLength))
 		return -EFAULT;

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [patch 1/2] staging/bcm: two information leaks in ioctl
  2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
@ 2014-02-17 19:59 ` Dave Jones
  2014-02-17 20:13 ` Dan Carpenter
  2014-02-17 20:23 ` Dave Jones
  2 siblings, 0 replies; 4+ messages in thread
From: Dave Jones @ 2014-02-17 19:59 UTC (permalink / raw)
  To: kernel-janitors

On Mon, Feb 17, 2014 at 10:56:06PM +0300, Dan Carpenter wrote:
 > There are a couple paths where we don't check how much data we copy back
 > to the user.

I'm curious, is this something smatch is only picking up now that
I chopped up that mega function into lots of little functions ?

	Dave



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch 1/2] staging/bcm: two information leaks in ioctl
  2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
  2014-02-17 19:59 ` Dave Jones
@ 2014-02-17 20:13 ` Dan Carpenter
  2014-02-17 20:23 ` Dave Jones
  2 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-02-17 20:13 UTC (permalink / raw)
  To: kernel-janitors

On Mon, Feb 17, 2014 at 02:59:19PM -0500, Dave Jones wrote:
> On Mon, Feb 17, 2014 at 10:56:06PM +0300, Dan Carpenter wrote:
>  > There are a couple paths where we don't check how much data we copy back
>  > to the user.
> 
> I'm curious, is this something smatch is only picking up now that
> I chopped up that mega function into lots of little functions ?

Yes.  Smatch wasn't able to parse it before the breakup.  Too huge.

regards,
dan carpenter


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [patch 1/2] staging/bcm: two information leaks in ioctl
  2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
  2014-02-17 19:59 ` Dave Jones
  2014-02-17 20:13 ` Dan Carpenter
@ 2014-02-17 20:23 ` Dave Jones
  2 siblings, 0 replies; 4+ messages in thread
From: Dave Jones @ 2014-02-17 20:23 UTC (permalink / raw)
  To: kernel-janitors

On Mon, Feb 17, 2014 at 11:13:16PM +0300, Dan Carpenter wrote:
 > On Mon, Feb 17, 2014 at 02:59:19PM -0500, Dave Jones wrote:
 > > On Mon, Feb 17, 2014 at 10:56:06PM +0300, Dan Carpenter wrote:
 > >  > There are a couple paths where we don't check how much data we copy back
 > >  > to the user.
 > > 
 > > I'm curious, is this something smatch is only picking up now that
 > > I chopped up that mega function into lots of little functions ?
 > 
 > Yes.  Smatch wasn't able to parse it before the breakup.  Too huge.

Excellent. That gives me incentive to do that sort of crap work more often.

	Dave


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-02-17 20:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
2014-02-17 19:59 ` Dave Jones
2014-02-17 20:13 ` Dan Carpenter
2014-02-17 20:23 ` Dave Jones

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.