On Fri, Jun 02, 2006 at 04:21:44PM -0700, Andrew Morton wrote: > > Either way it's still a userspace pointer (the data itself didn't change > > in the copy_from_user), and we are using that data to pass to that > > function. > > Yes, it's a userspace pointer. But in the present code, we're reading that > *pointer*'s value direct from userspace. > > But after the patch, we're reading that pointer-to-userspace from kernel > memory. > > It's the difference between: > > reference((struct foo __user *)arg); > > and > > copy_from_user(tmp, arg, sizeof(arg)); > reference((struct foo *)tmp); > > > After doing that, we pass this userspace pointer into proc_do_submiturb(), > which handles it. > > I think. ;) > > > Unless on some arches we can't walk into a userspace structure? > > That's OK, as long as we use the appropriate uaccess functions.
Ok, I'll fix it. But you all missed the other place this happens. Here's the patch that I've added to my tree for this. thanks, greg k-h >From [EMAIL PROTECTED] Fri Jun 2 16:36:04 2006 Message-Id: <[EMAIL PROTECTED]> From: Philippe Retornaz <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 20:48:46 -0700 Cc: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: usb: drivers/usb/core/devio.c dereferences a userspace pointer From: Philippe Retornaz <[EMAIL PROTECTED]> See http://bugzilla.kernel.org/show_bug.cgi?id=6617. This function dereference a __user pointer. Signed-off-by: Philippe Retornaz <[EMAIL PROTECTED]> Signed-off-by: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]> --- drivers/usb/core/devio.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- gregkh-2.6.orig/drivers/usb/core/devio.c +++ gregkh-2.6/drivers/usb/core/devio.c @@ -1078,7 +1078,9 @@ static int proc_submiturb(struct dev_sta if (copy_from_user(&uurb, arg, sizeof(uurb))) return -EFAULT; - return proc_do_submiturb(ps, &uurb, (((struct usbdevfs_urb __user *)arg)->iso_frame_desc), arg); + return proc_do_submiturb(ps, &uurb, + (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, + arg); } static int proc_unlinkurb(struct dev_state *ps, void __user *arg) @@ -1203,7 +1205,9 @@ static int proc_submiturb_compat(struct if (get_urb32(&uurb,(struct usbdevfs_urb32 *)arg)) return -EFAULT; - return proc_do_submiturb(ps, &uurb, ((struct usbdevfs_urb32 __user *)arg)->iso_frame_desc, arg); + return proc_do_submiturb(ps, &uurb, + (struct usbdevfs_iso_packet_desc __user *)uurb.iso_frame_desc, + arg); } static int processcompl_compat(struct async *as, void __user * __user *arg) _______________________________________________ [email protected] To unsubscribe, use the last form field at: https://lists.sourceforge.net/lists/listinfo/linux-usb-devel
