* [PATCH] new sysctl checking accesses userspace directly
@ 2003-07-13 13:35 Petr Vandrovec
0 siblings, 0 replies; only message in thread
From: Petr Vandrovec @ 2003-07-13 13:35 UTC (permalink / raw)
To: torvalds; +Cc: linux-kernel, ak, mingo
Hi Linus,
recent change from Andi breaks here: tmp.name is pointer, not
array in __sysctl_args, and so it is better to access it through
copy_from_user instead of directly.
With patch below it does not crash with unhandled kernel paging
request anymore.
Thanks,
Petr Vandrovec
vandrove@vc.cvut.cz
--- linux/kernel/sysctl.c 2003-07-13 01:37:39.000000000 +0200
+++ linux/kernel/sysctl.c 2003-07-13 15:15:06.000000000 +0200
@@ -848,17 +848,25 @@
asmlinkage long sys_sysctl(struct __sysctl_args __user *args)
{
struct __sysctl_args tmp;
+ int name[2];
int error;
if (copy_from_user(&tmp, args, sizeof(tmp)))
return -EFAULT;
- if (tmp.nlen != 2 || tmp.name[0] != CTL_KERN ||
- tmp.name[1] != KERN_VERSION) {
+ if (tmp.nlen != 2 || copy_from_user(name, tmp.name, sizeof(name)) ||
+ name[0] != CTL_KERN || name[1] != KERN_VERSION) {
int i;
printk(KERN_INFO "%s: numerical sysctl ", current->comm);
- for (i = 0; i < tmp.nlen; i++)
- printk("%d ", tmp.name[i]);
+ for (i = 0; i < tmp.nlen; i++) {
+ int n;
+
+ if (get_user(n, tmp.name+i)) {
+ printk("? ");
+ } else {
+ printk("%d ", n);
+ }
+ }
printk("is obsolete.\n");
}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-07-13 13:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-07-13 13:35 [PATCH] new sysctl checking accesses userspace directly Petr Vandrovec
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).