net/compat: Fix minor information leak in siocdevprivate_ioctl()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

We don't need to check that ifr_data itself is a valid user pointer,
but we should check &ifr_data is. Thankfully the copy of ifr_name is
checked, so this can only leak a few bytes from immediately above the
user address limit.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>

Ben Hutchings 12 years ago 417c3522 e1bd1dc2

+2 -5

1 changed file

expand all

net

socket.c

+2 -5

net/socket.c

··· 3015 3015 if (copy_from_user(&tmp_buf[0], &(u_ifreq32->ifr_ifrn.ifrn_name[0]), 3016 3016 IFNAMSIZ)) 3017 3017 return -EFAULT; 3018 - if (__get_user(data32, &u_ifreq32->ifr_ifru.ifru_data)) 3018 + if (get_user(data32, &u_ifreq32->ifr_ifru.ifru_data)) 3019 3019 return -EFAULT; 3020 3020 data64 = compat_ptr(data32); 3021 3021 3022 3022 u_ifreq64 = compat_alloc_user_space(sizeof(*u_ifreq64)); 3023 3023 3024 - /* Don't check these user accesses, just let that get trapped 3025 - * in the ioctl handler instead. 3026 - */ 3027 3024 if (copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0], 3028 3025 IFNAMSIZ)) 3029 3026 return -EFAULT; 3030 - if (__put_user(data64, &u_ifreq64->ifr_ifru.ifru_data)) 3027 + if (put_user(data64, &u_ifreq64->ifr_ifru.ifru_data)) 3031 3028 return -EFAULT; 3032 3029 3033 3030 return dev_ioctl(net, cmd, u_ifreq64);