[PATCH] mmaper_kern.c fixes [buffer overruns]

	* copy_from_user() can fail; ->write() must check its return
value.
	* severe buffer overruns both in ->read() and ->write() - lseek
to the end (i.e. to mmapper_size) and
	if(count + *ppos > mmapper_size)
		count = count + *ppos - mmapper_size;
will do absolutely nothing.  Then it will call
	copy_to_user(buf,&v_buf[*ppos],count);
with obvious results (similar for ->write()).
	Fixed by turning read to simple_read_from_buffer() and by doing
normal limiting of count in ->write().
	* gratitious lock_kernel() in ->mmap() - it's useless there.
	* lots of gratitious includes.

Signed-off-by: Al Viro <[email protected]>
----
diff -urN RC13-rc7-base/arch/um/drivers/mmapper_kern.c current/arch/um/drivers/mmapper_kern.c
--- RC13-rc7-base/arch/um/drivers/mmapper_kern.c	2005-06-17 15:48:29.000000000 -0400
+++ current/arch/um/drivers/mmapper_kern.c	2005-08-27 01:25:20.000000000 -0400
@@ -9,19 +9,11 @@
  *
  */
 
-#include <linux/types.h>
-#include <linux/kdev_t.h>
-#include <linux/time.h>
-#include <linux/devfs_fs_kernel.h>
+#include <linux/init.h> 
 #include <linux/module.h>
 #include <linux/mm.h> 
-#include <linux/slab.h>
-#include <linux/init.h> 
-#include <linux/smp_lock.h>
 #include <linux/miscdevice.h>
 #include <asm/uaccess.h>
-#include <asm/irq.h>
-#include <asm/pgtable.h>
 #include "mem_user.h"
 #include "user_util.h"
  
@@ -31,35 +23,22 @@
 static char *v_buf = NULL;
 
 static ssize_t
-mmapper_read(struct file *file, char *buf, size_t count, loff_t *ppos)
+mmapper_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
 {
-	if(*ppos > mmapper_size)
-		return -EINVAL;
-
-	if(count + *ppos > mmapper_size)
-		count = count + *ppos - mmapper_size;
-
-	if(count < 0)
-		return -EINVAL;
- 
-	copy_to_user(buf,&v_buf[*ppos],count);
-	
-	return count;
+	return simple_read_from_buffer(buf, count, ppos, v_buf, mmapper_size);
 }
 
 static ssize_t
-mmapper_write(struct file *file, const char *buf, size_t count, loff_t *ppos)
+mmapper_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
 {
-	if(*ppos > mmapper_size)
+	if (*ppos > mmapper_size)
 		return -EINVAL;
 
-	if(count + *ppos > mmapper_size)
-		count = count + *ppos - mmapper_size;
-
-	if(count < 0)
-		return -EINVAL;
+	if (count > mmapper_size - *ppos)
+		count = mmapper_size - *ppos;
 
-	copy_from_user(&v_buf[*ppos],buf,count);
+	if (copy_from_user(&v_buf[*ppos], buf, count))
+		return -EFAULT;
 	
 	return count;
 }
@@ -77,7 +56,6 @@
 	int ret = -EINVAL;
 	int size;
 
-	lock_kernel();
 	if (vma->vm_pgoff != 0)
 		goto out;
 	
@@ -92,7 +70,6 @@
 		goto out;
 	ret = 0;
 out:
-	unlock_kernel();
 	return ret;
 }
 
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• Prev by Date: Re: [patch] IBM HDAPS accelerometer driver, with probing.
• Next by Date: Re: [patch] IBM HDAPS accelerometer driver, with probing.
• Previous by thread: Oops with 2.6.13-rc6-mm2 and USB mouse
• Next by thread: help
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]