All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check
@ 2017-09-20  3:11 Meng Xu
  2017-09-20 15:04 ` Christoph Hellwig
  2017-09-21  3:26 ` Al Viro
  0 siblings, 2 replies; 4+ messages in thread
From: Meng Xu @ 2017-09-20  3:11 UTC (permalink / raw)
  To: sathya.prakash, chaitra.basappa, suganath-prabu.subramani, jejb,
	martin.petersen, MPT-FusionLinux.pdl, linux-scsi, linux-kernel
  Cc: meng.xu, sanidhya, taesoo, Meng Xu

Since right after the user copy, we are going to
memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?

Signed-off-by: Meng Xu <mengxu.gatech@gmail.com>
---
 drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index bdffb69..b363d2d 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -1065,7 +1065,7 @@ _ctl_getiocinfo(struct MPT3SAS_ADAPTER *ioc, void __user *arg)
 {
 	struct mpt3_ioctl_iocinfo karg;
 
-	if (copy_from_user(&karg, arg, sizeof(karg))) {
+	if (!access_ok(VERIFY_READ, arg, sizeof(karg))) {
 		pr_err("failure at %s:%d/%s()!\n",
 		    __FILE__, __LINE__, __func__);
 		return -EFAULT;
-- 
2.7.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check
  2017-09-20  3:11 [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check Meng Xu
@ 2017-09-20 15:04 ` Christoph Hellwig
  2017-09-21  3:26 ` Al Viro
  1 sibling, 0 replies; 4+ messages in thread
From: Christoph Hellwig @ 2017-09-20 15:04 UTC (permalink / raw)
  To: Meng Xu
  Cc: sathya.prakash, chaitra.basappa, suganath-prabu.subramani, jejb,
	martin.petersen, MPT-FusionLinux.pdl, linux-scsi, linux-kernel,
	meng.xu, sanidhya, taesoo

On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote:
> Since right after the user copy, we are going to
> memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?

The right thing is to remove it entirely.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check
  2017-09-20  3:11 [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check Meng Xu
  2017-09-20 15:04 ` Christoph Hellwig
@ 2017-09-21  3:26 ` Al Viro
  2017-09-21  3:32   ` Meng Xu
  1 sibling, 1 reply; 4+ messages in thread
From: Al Viro @ 2017-09-21  3:26 UTC (permalink / raw)
  To: Meng Xu
  Cc: sathya.prakash, chaitra.basappa, suganath-prabu.subramani, jejb,
	martin.petersen, MPT-FusionLinux.pdl, linux-scsi, linux-kernel,
	meng.xu, sanidhya, taesoo

On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote:
> Since right after the user copy, we are going to
> memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?

access_ok() is *NOT* "will copy_from_user() succeed?"  Not even close.
On a bunch of architectures (sparc64, for one) access_ok() is always
true.

All it does is checking that address is not a kernel one - e.g. on
i386 anything in range 0..3Gb qualifies.  Whether anything's mapped
at that address or not.

Why bother with that copy_from_user() at all?  The same ioctl()
proceeds to copy_to_user() on exact same range; all you get from
it is "if the area passed by caller is writable, but not readable,
fail with -EFAULT".  Who cares?

Just drop that copy_from_user() completely.  Anything access_ok()
might've caught will be caught by copy_to_user() anyway.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check
  2017-09-21  3:26 ` Al Viro
@ 2017-09-21  3:32   ` Meng Xu
  0 siblings, 0 replies; 4+ messages in thread
From: Meng Xu @ 2017-09-21  3:32 UTC (permalink / raw)
  To: Al Viro
  Cc: sathya.prakash, chaitra.basappa, suganath-prabu.subramani, jejb,
	martin.petersen, MPT-FusionLinux.pdl, linux-scsi, linux-kernel,
	meng.xu, sanidhya, taesoo


> On Sep 20, 2017, at 11:26 PM, Al Viro <viro@ZenIV.linux.org.uk> wrote:
> 
> On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote:
>> Since right after the user copy, we are going to
>> memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough?
> 
> access_ok() is *NOT* "will copy_from_user() succeed?"  Not even close.
> On a bunch of architectures (sparc64, for one) access_ok() is always
> true.
> 
> All it does is checking that address is not a kernel one - e.g. on
> i386 anything in range 0..3Gb qualifies.  Whether anything's mapped
> at that address or not.
> 
> Why bother with that copy_from_user() at all?  The same ioctl()
> proceeds to copy_to_user() on exact same range; all you get from
> it is "if the area passed by caller is writable, but not readable,
> fail with -EFAULT".  Who cares?
> 
> Just drop that copy_from_user() completely.  Anything access_ok()
> might've caught will be caught by copy_to_user() anyway.

Yes, Christoph has suggested the same thing and I have submitted 
another patch with copy_from_user removed entirely.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-09-21  3:32 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-20  3:11 [PATCH] mpt3sas: downgrade full copy_from_user to access_ok check Meng Xu
2017-09-20 15:04 ` Christoph Hellwig
2017-09-21  3:26 ` Al Viro
2017-09-21  3:32   ` Meng Xu

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.