* [patch 1/2] staging/bcm: two information leaks in ioctl
@ 2014-02-17 19:56 Dan Carpenter
2014-02-17 19:59 ` Dave Jones
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-02-17 19:56 UTC (permalink / raw)
To: kernel-janitors
There are a couple paths where we don't check how much data we copy back
to the user.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
diff --git a/drivers/staging/bcm/Bcmchar.c b/drivers/staging/bcm/Bcmchar.c
index fdebc3bba0b5..6f1997dc44c8 100644
--- a/drivers/staging/bcm/Bcmchar.c
+++ b/drivers/staging/bcm/Bcmchar.c
@@ -590,6 +590,8 @@ static int bcm_char_ioctl_gpio_multi_request(void __user *argp, struct bcm_mini_
if (IoBuffer.InputLength > sizeof(gpio_multi_info))
return -EINVAL;
+ if (IoBuffer.OutputLength > sizeof(gpio_multi_info))
+ IoBuffer.OutputLength = sizeof(gpio_multi_info);
if (copy_from_user(&gpio_multi_info, IoBuffer.InputBuffer, IoBuffer.InputLength))
return -EFAULT;
@@ -680,6 +682,8 @@ static int bcm_char_ioctl_gpio_mode_request(void __user *argp, struct bcm_mini_a
if (IoBuffer.InputLength > sizeof(gpio_multi_mode))
return -EINVAL;
+ if (IoBuffer.OutputLength > sizeof(gpio_multi_mode))
+ IoBuffer.OutputLength = sizeof(gpio_multi_mode);
if (copy_from_user(&gpio_multi_mode, IoBuffer.InputBuffer, IoBuffer.InputLength))
return -EFAULT;
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [patch 1/2] staging/bcm: two information leaks in ioctl
2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
@ 2014-02-17 19:59 ` Dave Jones
2014-02-17 20:13 ` Dan Carpenter
2014-02-17 20:23 ` Dave Jones
2 siblings, 0 replies; 4+ messages in thread
From: Dave Jones @ 2014-02-17 19:59 UTC (permalink / raw)
To: kernel-janitors
On Mon, Feb 17, 2014 at 10:56:06PM +0300, Dan Carpenter wrote:
> There are a couple paths where we don't check how much data we copy back
> to the user.
I'm curious, is this something smatch is only picking up now that
I chopped up that mega function into lots of little functions ?
Dave
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch 1/2] staging/bcm: two information leaks in ioctl
2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
2014-02-17 19:59 ` Dave Jones
@ 2014-02-17 20:13 ` Dan Carpenter
2014-02-17 20:23 ` Dave Jones
2 siblings, 0 replies; 4+ messages in thread
From: Dan Carpenter @ 2014-02-17 20:13 UTC (permalink / raw)
To: kernel-janitors
On Mon, Feb 17, 2014 at 02:59:19PM -0500, Dave Jones wrote:
> On Mon, Feb 17, 2014 at 10:56:06PM +0300, Dan Carpenter wrote:
> > There are a couple paths where we don't check how much data we copy back
> > to the user.
>
> I'm curious, is this something smatch is only picking up now that
> I chopped up that mega function into lots of little functions ?
Yes. Smatch wasn't able to parse it before the breakup. Too huge.
regards,
dan carpenter
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [patch 1/2] staging/bcm: two information leaks in ioctl
2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
2014-02-17 19:59 ` Dave Jones
2014-02-17 20:13 ` Dan Carpenter
@ 2014-02-17 20:23 ` Dave Jones
2 siblings, 0 replies; 4+ messages in thread
From: Dave Jones @ 2014-02-17 20:23 UTC (permalink / raw)
To: kernel-janitors
On Mon, Feb 17, 2014 at 11:13:16PM +0300, Dan Carpenter wrote:
> On Mon, Feb 17, 2014 at 02:59:19PM -0500, Dave Jones wrote:
> > On Mon, Feb 17, 2014 at 10:56:06PM +0300, Dan Carpenter wrote:
> > > There are a couple paths where we don't check how much data we copy back
> > > to the user.
> >
> > I'm curious, is this something smatch is only picking up now that
> > I chopped up that mega function into lots of little functions ?
>
> Yes. Smatch wasn't able to parse it before the breakup. Too huge.
Excellent. That gives me incentive to do that sort of crap work more often.
Dave
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-02-17 20:23 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-02-17 19:56 [patch 1/2] staging/bcm: two information leaks in ioctl Dan Carpenter
2014-02-17 19:59 ` Dave Jones
2014-02-17 20:13 ` Dan Carpenter
2014-02-17 20:23 ` Dave Jones
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.