> + datalen = p->custom_len * sizeof(p->custom_data[0]);
signed
> + if (datalen > MAX_EFFECT_SIZE) {
unsigned
> + memcpy(einfo->buf, p->custom_data, datalen);
ungood
Hi,
>From: ext Alan Cox [mailto:[email protected]]
>Sent: 08 November, 2010 01:52
>
>> + datalen = p->custom_len * sizeof(p->custom_data[0]);
>
>signed
>
>> + if (datalen > MAX_EFFECT_SIZE) {
>
>unsigned
It should be unsigned. I'll fix it.
>> + memcpy(einfo->buf, p->custom_data, datalen);
>
>ungood
Yep, that's clearly wrong too. Should be copy_from_user() I suppose.
Thanks, Ilkka
On Mon, 8 Nov 2010 12:08:07 +0100
<[email protected]> wrote:
> Hi,
>
> >From: ext Alan Cox [mailto:[email protected]]
> >Sent: 08 November, 2010 01:52
> >
> >> + datalen = p->custom_len * sizeof(p->custom_data[0]);
> >
> >signed
> >
> >> + if (datalen > MAX_EFFECT_SIZE) {
> >
> >unsigned
>
> It should be unsigned. I'll fix it.
>
> >> + memcpy(einfo->buf, p->custom_data, datalen);
> >
> >ungood
>
> Yep, that's clearly wrong too. Should be copy_from_user() I suppose.
That I hadn't considered - and I'm not sure whether the caller is passed
a kernel copy or not. The problem I was looking at was just the signed
case
datalen < 0
if (datalen > MAX ..)
Nope
memcpy(kernel, mysource, vastly more than intended (unsigned))
>From: ext Alan Cox [mailto:[email protected]]
>Sent: 08 November, 2010 13:39
>
>On Mon, 8 Nov 2010 12:08:07 +0100
><[email protected]> wrote:
>
>> Hi,
>>
>> >From: ext Alan Cox [mailto:[email protected]]
>> >Sent: 08 November, 2010 01:52
>> >
>> >> + datalen = p->custom_len * sizeof(p->custom_data[0]);
>> >
>> >signed
>> >
>> >> + if (datalen > MAX_EFFECT_SIZE) {
>> >
>> >unsigned
>>
>> It should be unsigned. I'll fix it.
>>
>> >> + memcpy(einfo->buf, p->custom_data, datalen);
>> >
>> >ungood
>>
>> Yep, that's clearly wrong too. Should be copy_from_user() I suppose.
>
>That I hadn't considered - and I'm not sure whether the caller is passed
>a kernel copy or not. The problem I was looking at was just the signed
>case
>
> datalen < 0
> if (datalen > MAX ..)
> Nope
>
> memcpy(kernel, mysource, vastly more than intended (unsigned))
Ah, I got it now. Thanks for clarification :)
Cheers, Ilkka