As found by sparse, a user space pointer is assigned to a kernel
data structure while calling other code with set_fs(KERNEL_DS),
which could lead to leaking kernel data if that pointer is
ever accessed.
I could not find any place in the floppy drivers that actually
uses that pointer, but assigning it to an empty string is
a safer choice and gets rid of the sparse warning.
Signed-off-by: Arnd Bergmann <[email protected]>
Index: linux-2.6/block/compat_ioctl.c
===================================================================
--- linux-2.6.orig/block/compat_ioctl.c
+++ linux-2.6/block/compat_ioctl.c
@@ -349,7 +349,7 @@ static int compat_fd_ioctl(struct inode
err |= __get_user(f->spec1, &uf->spec1);
err |= __get_user(f->fmt_gap, &uf->fmt_gap);
err |= __get_user(name, &uf->name);
- f->name = compat_ptr(name);
+ f->name = "";
if (err) {
err = -EFAULT;
goto out;
--
On Sat, Oct 06, 2007 at 08:19:11PM +0200, Arnd Bergmann wrote:
> As found by sparse, a user space pointer is assigned to a kernel
> data structure while calling other code with set_fs(KERNEL_DS),
> which could lead to leaking kernel data if that pointer is
> ever accessed.
>
> I could not find any place in the floppy drivers that actually
> uses that pointer, but assigning it to an empty string is
> a safer choice and gets rid of the sparse warning.
FWIW, I'd kill kmalloc(), switched to compat_alloc_user_space() and
copy_in_user() / get_user()+put_user(). And kill set_fs() around that
sys_ioctl()... Separate from the rest of this series, though.