tree ba62bf7de680c10c00224305d628b484494918a1
parent 36676bcbf9f6bcbea9d06e67ee8d04eacde54952
author Al Viro <[EMAIL PROTECTED]> Sat, 27 Aug 2005 06:48:15 +0100
committer Linus Torvalds <[EMAIL PROTECTED]> Sun, 28 Aug 2005 00:11:40 -0700

[PATCH] mmaper_kern.c fixes [buffer overruns]

 - copy_from_user() can fail; ->write() must check its return value.

 - severe buffer overruns both in ->read() and ->write() - lseek to the
   end (i.e.  to mmapper_size) and

        if (count + *ppos > mmapper_size)
                count = count + *ppos - mmapper_size;

   will do absolutely nothing.  Then it will call

        copy_to_user(buf,&v_buf[*ppos],count);

   with obvious results (similar for ->write()).

   Fixed by turning read to simple_read_from_buffer() and by doing
   normal limiting of count in ->write().

 - gratitious lock_kernel() in ->mmap() - it's useless there.

 - lots of gratuitous includes.

Signed-off-by: Al Viro <[EMAIL PROTECTED]>
Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>

 arch/um/drivers/mmapper_kern.c |   41 +++++++++--------------------------------
 1 files changed, 9 insertions(+), 32 deletions(-)

diff --git a/arch/um/drivers/mmapper_kern.c b/arch/um/drivers/mmapper_kern.c
--- a/arch/um/drivers/mmapper_kern.c
+++ b/arch/um/drivers/mmapper_kern.c
@@ -9,19 +9,11 @@
  *
  */
 
-#include <linux/types.h>
-#include <linux/kdev_t.h>
-#include <linux/time.h>
-#include <linux/devfs_fs_kernel.h>
+#include <linux/init.h> 
 #include <linux/module.h>
 #include <linux/mm.h> 
-#include <linux/slab.h>
-#include <linux/init.h> 
-#include <linux/smp_lock.h>
 #include <linux/miscdevice.h>
 #include <asm/uaccess.h>
-#include <asm/irq.h>
-#include <asm/pgtable.h>
 #include "mem_user.h"
 #include "user_util.h"
  
@@ -31,35 +23,22 @@ static unsigned long p_buf = 0;
 static char *v_buf = NULL;
 
 static ssize_t
-mmapper_read(struct file *file, char *buf, size_t count, loff_t *ppos)
+mmapper_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
 {
-       if(*ppos > mmapper_size)
-               return -EINVAL;
-
-       if(count + *ppos > mmapper_size)
-               count = count + *ppos - mmapper_size;
-
-       if(count < 0)
-               return -EINVAL;
- 
-       copy_to_user(buf,&v_buf[*ppos],count);
-       
-       return count;
+       return simple_read_from_buffer(buf, count, ppos, v_buf, mmapper_size);
 }
 
 static ssize_t
-mmapper_write(struct file *file, const char *buf, size_t count, loff_t *ppos)
+mmapper_write(struct file *file, const char __user *buf, size_t count, loff_t 
*ppos)
 {
-       if(*ppos > mmapper_size)
+       if (*ppos > mmapper_size)
                return -EINVAL;
 
-       if(count + *ppos > mmapper_size)
-               count = count + *ppos - mmapper_size;
-
-       if(count < 0)
-               return -EINVAL;
+       if (count > mmapper_size - *ppos)
+               count = mmapper_size - *ppos;
 
-       copy_from_user(&v_buf[*ppos],buf,count);
+       if (copy_from_user(&v_buf[*ppos], buf, count))
+               return -EFAULT;
        
        return count;
 }
@@ -77,7 +56,6 @@ mmapper_mmap(struct file *file, struct v
        int ret = -EINVAL;
        int size;
 
-       lock_kernel();
        if (vma->vm_pgoff != 0)
                goto out;
        
@@ -92,7 +70,6 @@ mmapper_mmap(struct file *file, struct v
                goto out;
        ret = 0;
 out:
-       unlock_kernel();
        return ret;
 }
 
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to