Re: [CHECKER][PATCH] pnpbios dereferencing user pointer

Andrew Morton (akpm@digeo.com)
Mon, 2 Jun 2003 14:03:55 -0700


Hollis Blanchard <hollisb@us.ibm.com> wrote:
>
> Another simple case of a memcpy that should be copy_from_user...

There are also a bunch of memory leaks in there. I modified your patch
thusly:

diff -puN drivers/pnp/pnpbios/proc.c~pnpbios-oops-leak-fix drivers/pnp/pnpbios/proc.c
--- 25/drivers/pnp/pnpbios/proc.c~pnpbios-oops-leak-fix Mon Jun 2 13:59:29 2003
+++ 25-akpm/drivers/pnp/pnpbios/proc.c Mon Jun 2 14:02:26 2003
@@ -178,18 +178,31 @@ static int proc_write_node(struct file *
struct pnp_bios_node *node;
int boot = (long)data >> 8;
u8 nodenum = (long)data;
+ int ret = count;

node = pnpbios_kmalloc(node_info.max_node_size, GFP_KERNEL);
- if (!node) return -ENOMEM;
- if ( pnp_bios_get_dev_node(&nodenum, boot, node) )
- return -EIO;
- if (count != node->size - sizeof(struct pnp_bios_node))
- return -EINVAL;
- memcpy(node->data, buf, count);
- if (pnp_bios_set_dev_node(node->handle, boot, node) != 0)
- return -EINVAL;
+ if (!node)
+ return -ENOMEM;
+ if (pnp_bios_get_dev_node(&nodenum, boot, node)) {
+ ret -EIO;
+ goto out;
+ }
+ if (count != node->size - sizeof(struct pnp_bios_node)) {
+ ret = -EINVAL;
+ goto out;
+ }
+ if (copy_from_user(node->data, buf, count)) {
+ ret = -EFAULT;
+ goto out;
+ }
+ if (pnp_bios_set_dev_node(node->handle, boot, node) != 0) {
+ ret = -EINVAL;
+ goto out;
+ }
+ ret = count;
+out:
kfree(node);
- return count;
+ return ret;
}

int pnpbios_interface_attach_device(struct pnp_bios_node * node)

_

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/