[PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()

[PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()

[Dan Carpenter]

The "gasket_dev->num_page_tables" variable is an int but this is copying
sizeof(u64).  On 32 bit systems this would end up disclosing a kernel
pointer to user space, but on 64 bit it copies zeroes from a struct
hole.

Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
This is an API change.  Please review this carefully!  Another potential
fix would be to make ->num_page_tables a long instead of an int.

 drivers/staging/gasket/gasket_ioctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/gasket/gasket_ioctl.c b/drivers/staging/gasket/gasket_ioctl.c
index e3047d36d8db..c4abac35c1ca 100644
--- a/drivers/staging/gasket/gasket_ioctl.c
+++ b/drivers/staging/gasket/gasket_ioctl.c
@@ -318,7 +318,7 @@ long gasket_handle_ioctl(struct file *filp, uint cmd, void __user *argp)
 	case GASKET_IOCTL_NUMBER_PAGE_TABLES:
 		trace_gasket_ioctl_integer_data(gasket_dev->num_page_tables);
 		if (copy_to_user(argp, &gasket_dev->num_page_tables,
-				 sizeof(uint64_t)))
+				 sizeof(gasket_dev->num_page_tables)))
 			retval = -EFAULT;
 		else
 			retval = 0;
-- 
2.29.2

_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()

[Greg Kroah-Hartman]

On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64).  On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
> 
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change.  Please review this carefully!  Another potential
> fix would be to make ->num_page_tables a long instead of an int.
> 
>  drivers/staging/gasket/gasket_ioctl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Looks like this driver is dead, with no response from anyone from
Google.

Should I just delete it?  The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree.  Even if having it here actually finds
security issues that the authors missed like this :(

So, any objection to me deleting it?

thanks,

greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

AW: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()

[Walter Harms]

why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?

re,
 wh
________________________________________
Von: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gesendet: Dienstag, 9. März 2021 14:26:55
An: Dan Carpenter
Cc: Rob Springer; devel@driverdev.osuosl.org; kernel-janitors@vger.kernel.org; John Joseph; Simon Que; Richard Yeh; Todd Poynor
Betreff: Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()

On Fri, Jan 22, 2021 at 06:01:13PM +0300, Dan Carpenter wrote:
> The "gasket_dev->num_page_tables" variable is an int but this is copying
> sizeof(u64).  On 32 bit systems this would end up disclosing a kernel
> pointer to user space, but on 64 bit it copies zeroes from a struct
> hole.
>
> Fixes: 9a69f5087ccc ("drivers/staging: Gasket driver framework + Apex driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> This is an API change.  Please review this carefully!  Another potential
> fix would be to make ->num_page_tables a long instead of an int.
>
>  drivers/staging/gasket/gasket_ioctl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Looks like this driver is dead, with no response from anyone from
Google.

Should I just delete it?  The goal of using normal apis and getting this
out of staging seems to have totally died, so it shouldn't even still be
living in the kernel tree.  Even if having it here actually finds
security issues that the authors missed like this :(

So, any objection to me deleting it?

thanks,

greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Re: [PATCH] staging: gasket: Fix sizeof() in gasket_handle_ioctl()

[Greg Kroah-Hartman]

On Tue, Mar 09, 2021 at 04:57:59PM +0000, Walter Harms wrote:
> why not mark it as "Deprecated" and remove it with the next version ? Maybe soneone will wakeup ?

We don't really have a "Deprecated" marking, we just delete them :)

thanks,

greg k-h
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel