| Message ID | 1505877071-76996-1-git-send-email-mengxu.gatech@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote: > Since right after the user copy, we are going to > memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough? The right thing is to remove it entirely.
On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote: > Since right after the user copy, we are going to > memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough? access_ok() is *NOT* "will copy_from_user() succeed?" Not even close. On a bunch of architectures (sparc64, for one) access_ok() is always true. All it does is checking that address is not a kernel one - e.g. on i386 anything in range 0..3Gb qualifies. Whether anything's mapped at that address or not. Why bother with that copy_from_user() at all? The same ioctl() proceeds to copy_to_user() on exact same range; all you get from it is "if the area passed by caller is writable, but not readable, fail with -EFAULT". Who cares? Just drop that copy_from_user() completely. Anything access_ok() might've caught will be caught by copy_to_user() anyway.
> On Sep 20, 2017, at 11:26 PM, Al Viro <viro@ZenIV.linux.org.uk> wrote: > > On Tue, Sep 19, 2017 at 11:11:11PM -0400, Meng Xu wrote: >> Since right after the user copy, we are going to >> memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough? > > access_ok() is *NOT* "will copy_from_user() succeed?" Not even close. > On a bunch of architectures (sparc64, for one) access_ok() is always > true. > > All it does is checking that address is not a kernel one - e.g. on > i386 anything in range 0..3Gb qualifies. Whether anything's mapped > at that address or not. > > Why bother with that copy_from_user() at all? The same ioctl() > proceeds to copy_to_user() on exact same range; all you get from > it is "if the area passed by caller is writable, but not readable, > fail with -EFAULT". Who cares? > > Just drop that copy_from_user() completely. Anything access_ok() > might've caught will be caught by copy_to_user() anyway. Yes, Christoph has suggested the same thing and I have submitted another patch with copy_from_user removed entirely.
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c index bdffb69..b363d2d 100644 --- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c +++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c @@ -1065,7 +1065,7 @@ _ctl_getiocinfo(struct MPT3SAS_ADAPTER *ioc, void __user *arg) { struct mpt3_ioctl_iocinfo karg; - if (copy_from_user(&karg, arg, sizeof(karg))) { + if (!access_ok(VERIFY_READ, arg, sizeof(karg))) { pr_err("failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); return -EFAULT;
Since right after the user copy, we are going to memset(&karg, 0, sizeof(karg)), I guess an access_ok check is enough? Signed-off-by: Meng Xu <mengxu.gatech@gmail.com> --- drivers/scsi/mpt3sas/mpt3sas_ctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)