net/compat: Fix minor information leak in siocdevprivate_ioctl()
We don't need to check that ifr_data itself is a valid user pointer, but we should check &ifr_data is. Thankfully the copy of ifr_name is checked, so this can only leak a few bytes from immediately above the user address limit. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
This commit is contained in:
Родитель
e1bd1dc207
Коммит
417c3522b3
|
@ -3015,19 +3015,16 @@ static int siocdevprivate_ioctl(struct net *net, unsigned int cmd,
|
|||
if (copy_from_user(&tmp_buf[0], &(u_ifreq32->ifr_ifrn.ifrn_name[0]),
|
||||
IFNAMSIZ))
|
||||
return -EFAULT;
|
||||
if (__get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
|
||||
if (get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
|
||||
return -EFAULT;
|
||||
data64 = compat_ptr(data32);
|
||||
|
||||
u_ifreq64 = compat_alloc_user_space(sizeof(*u_ifreq64));
|
||||
|
||||
/* Don't check these user accesses, just let that get trapped
|
||||
* in the ioctl handler instead.
|
||||
*/
|
||||
if (copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0],
|
||||
IFNAMSIZ))
|
||||
return -EFAULT;
|
||||
if (__put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
|
||||
if (put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
|
||||
return -EFAULT;
|
||||
|
||||
return dev_ioctl(net, cmd, u_ifreq64);
|
||||
|
|
Загрузка…
Ссылка в новой задаче