Re: [PATCH 2/3] cciss: bug fix for BIG_PASS_THRU

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Nov 18 2005, mikem wrote:
> Patch 2 of 3
> 
> Applications using CCISS_BIG_PASSTHRU complained that the data written
> was zeros.  The code looked alright, but it seems that copy_from_user 
> already does a memset on the buffer. Removing it from the pass-through
> fixes the apps.

Hmm, I don't like this patch, since you never clear the buffer for reads
now. If the controller for some reason doesn't overwrite this buffer,
you could be leaking privileged data! Your bug is because you do:

        if (write && copy_from_user(...))
                fail
        else
                clear

so you end up in the clear case for any case where copy_from_user()
doesn't fail. I've fixed it up for you, this is what I committed:

diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
index e239a6c..33f8341 100644
--- a/drivers/block/cciss.c
+++ b/drivers/block/cciss.c
@@ -1017,10 +1017,11 @@ static int cciss_ioctl(struct inode *ino
 				status = -ENOMEM;
 				goto cleanup1;
 			}
-			if (ioc->Request.Type.Direction == XFER_WRITE &&
-				copy_from_user(buff[sg_used], data_ptr, sz)) {
+			if (ioc->Request.Type.Direction == XFER_WRITE) {
+				if (copy_from_user(buff[sg_used], data_ptr, sz)) {
 					status = -ENOMEM;
-					goto cleanup1;			
+					goto cleanup1;
+				}
 			} else {
 				memset(buff[sg_used], 0, sz);
 			}

-- 
Jens Axboe

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux