Message-Id: <20071006182343.857595918@arndb.de>
References: <20071006181902.141862534@arndb.de>
User-Agent: quilt/0.46-1
Date: Sat, 06 Oct 2007 20:19:11 +0200
From: Arnd Bergmann <arnd@arndb.de>
To: Jens Axboe <jens.axboe@oracle.com>
Cc: linux-kernel@vger.kernel.org, davem@davemloft.net, hch@lst.de,
       Al Viro <viro@ftp.linux.org.uk>
Subject: [patch 9/9] compat_ioctl: fix compat_fd_ioctl pointer access
Content-Disposition: inline; filename=compat-floppy-ioctl-pointer.diff
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1140
Lines: 31

As found by sparse, a user space pointer is assigned to a kernel
data structure while calling other code with set_fs(KERNEL_DS),
which could lead to leaking kernel data if that pointer is
ever accessed.

I could not find any place in the floppy drivers that actually
uses that pointer, but assigning it to an empty string is
a safer choice and gets rid of the sparse warning.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Index: linux-2.6/block/compat_ioctl.c
===================================================================
--- linux-2.6.orig/block/compat_ioctl.c
+++ linux-2.6/block/compat_ioctl.c
@@ -349,7 +349,7 @@ static int compat_fd_ioctl(struct inode 
 		err |= __get_user(f->spec1, &uf->spec1);
 		err |= __get_user(f->fmt_gap, &uf->fmt_gap);
 		err |= __get_user(name, &uf->name);
-		f->name = compat_ptr(name);
+		f->name = "";
 		if (err) {
 			err = -EFAULT;
 			goto out;

-- 

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/