Home » Mailing list archives » linux-kernel » 2008 » April » 29

[09/37] net: Fix wrong interpretation of some copy_to_user() results.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Greg KH
Subject: [09/37] net: Fix wrong interpretation of some copy_to_user() results.
Date: Tuesday, April 29, 2008 - 10:18 am

2.6.25-stable review patch.  If anyone has any objections, please let us
know.

------------------
From: Pavel Emelyanov <xemul@openvz.org>

[ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ]

I found some places, that erroneously return the value obtained from
the copy_to_user() call: if some amount of bytes were not able to get
to the user (this is what this one returns) the proper behavior is to
return the -EFAULT error, not that number itself.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/can/raw.c     |    3 ++-
 net/dccp/probe.c  |    2 +-
 net/tipc/socket.c |    4 ++--
 3 files changed, 5 insertions(+), 4 deletions(-)

--- a/net/can/raw.c
+++ b/net/can/raw.c
@@ -573,7 +573,8 @@ static int raw_getsockopt(struct socket 
 			int fsize = ro->count * sizeof(struct can_filter);
 			if (len > fsize)
 				len = fsize;
-			err = copy_to_user(optval, ro->filter, len);
+			if (copy_to_user(optval, ro->filter, len))
+				err = -EFAULT;
 		} else
 			len = 0;
 		release_sock(sk);
--- a/net/dccp/probe.c
+++ b/net/dccp/probe.c
@@ -145,7 +145,7 @@ static ssize_t dccpprobe_read(struct fil
 		goto out_free;
 
 	cnt = kfifo_get(dccpw.fifo, tbuf, len);
-	error = copy_to_user(buf, tbuf, cnt);
+	error = copy_to_user(buf, tbuf, cnt) ? -EFAULT : 0;
 
 out_free:
 	vfree(tbuf);
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -1600,8 +1600,8 @@ static int getsockopt(struct socket *soc
 	else if (len < sizeof(value)) {
 		res = -EINVAL;
 	}
-	else if ((res = copy_to_user(ov, &value, sizeof(value)))) {
-		/* couldn't return value */
+	else if (copy_to_user(ov, &value, sizeof(value))) {
+		res = -EFAULT;
 	}
 	else {
 		res = put_user(sizeof(value), ol);

-- 
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[00/37] 2.6.25-stable review, Greg KH, (Tue Apr 29, 10:17 am)
[01/37] USB: log an error message when USB enumeration fails, Greg KH, (Tue Apr 29, 10:17 am)
[02/37] USB: Add HP hs2300 Broadband Wireless Module to si ..., Greg KH, (Tue Apr 29, 10:17 am)
[03/37] JFFS2: Fix free space leak with in-band cleanmarkers, Greg KH, (Tue Apr 29, 10:17 am)
[04/37] tg3: 5701 DMA corruption fix, Greg KH, (Tue Apr 29, 10:18 am)
[05/37] tcp: tcp_probe buffer overflow and incorrect retur ..., Greg KH, (Tue Apr 29, 10:18 am)
[07/37] RTNETLINK: Fix bogus ASSERT_RTNL warning, Greg KH, (Tue Apr 29, 10:18 am)
[08/37] rose: Socket lock was not released before returnin ..., Greg KH, (Tue Apr 29, 10:18 am)
[09/37] net: Fix wrong interpretation of some copy_to_user ..., Greg KH, (Tue Apr 29, 10:18 am)
[10/37] IPSEC: Fix catch-22 with algorithm IDs above 31, Greg KH, (Tue Apr 29, 10:18 am)
[11/37] USB: OHCI: fix bug in controller resume, Greg KH, (Tue Apr 29, 10:18 am)
[12/37] dm snapshot: fix chunksize sector conversion, Greg KH, (Tue Apr 29, 10:18 am)
[13/37] cgroup: fix a race condition in manipulating tsk-&gt; ..., Greg KH, (Tue Apr 29, 10:18 am)
[14/37] RDMA/nes: Free IRQ before killing tasklet, Greg KH, (Tue Apr 29, 10:18 am)
[15/37] V4L: Fix VIDIOCGAP corruption in ivtv, Greg KH, (Tue Apr 29, 10:18 am)
[16/37] V4L: tea5761: bugzilla #10462: tea5761 autodetecti ..., Greg KH, (Tue Apr 29, 10:18 am)
[17/37] V4L: cx88: enable radio GPIO correctly, Greg KH, (Tue Apr 29, 10:18 am)
[18/37] S2io: Fix memory leak during free_tx_buffers, Greg KH, (Tue Apr 29, 10:18 am)
[19/37] S2io: Version update for memory leak fix during fr ..., Greg KH, (Tue Apr 29, 10:18 am)
[20/37] SELinux: no BUG_ON(!ss_initialized) in selinux_clo ..., Greg KH, (Tue Apr 29, 10:18 am)
[21/37] x86, pci: fix off-by-one errors in some pirq warnings, Greg KH, (Tue Apr 29, 10:18 am)
[22/37] ssb: Fix all-ones boardflags, Greg KH, (Tue Apr 29, 10:18 am)
[23/37] b43: Workaround invalid bluetooth settings, Greg KH, (Tue Apr 29, 10:18 am)
[24/37] b43: Add more btcoexist workarounds, Greg KH, (Tue Apr 29, 10:18 am)
[25/37] b43: Workaround DMA quirks, Greg KH, (Tue Apr 29, 10:18 am)
[26/37] tehuti: check register size (CVE-2008-1675), Greg KH, (Tue Apr 29, 10:18 am)
[27/37] tehuti: move ioctl perm check closer to function s ..., Greg KH, (Tue Apr 29, 10:19 am)
[28/37] aio: io_getevents() should return if io_destroy() ..., Greg KH, (Tue Apr 29, 10:19 am)
[29/37] rtc-pcf8583 build fix, Greg KH, (Tue Apr 29, 10:19 am)
[30/37] dz: test after postfix decrement fails in dz_conso ..., Greg KH, (Tue Apr 29, 10:19 am)
[31/37] mm: fix possible off-by-one in walk_pte_range(), Greg KH, (Tue Apr 29, 10:19 am)
[32/37] hrtimer: timeout too long when using HRTIMER_CB_SO ..., Greg KH, (Tue Apr 29, 10:19 am)
[33/37] RDMA/nes: Fix adapter reset after PXE boot, Greg KH, (Tue Apr 29, 10:19 am)
[34/37] SCSI: qla2xxx: Correct regression in relogin code., Greg KH, (Tue Apr 29, 10:19 am)
[35/37] alpha: unbreak OSF/1 (a.out) binaries, Greg KH, (Tue Apr 29, 10:19 am)
[36/37] x86: Fix 32-bit x86 MSI-X allocation leakage, Greg KH, (Tue Apr 29, 10:19 am)
[37/37] hrtimer: raise softirq unlocked to avoid circular ..., Greg KH, (Tue Apr 29, 10:19 am)
Re: [27/37] tehuti: move ioctl perm check closer to functi ..., Alan Cox, (Tue Apr 29, 11:13 am)
Re: [27/37] tehuti: move ioctl perm check closer to functi ..., Greg KH, (Tue Apr 29, 11:55 am)
Re: [27/37] tehuti: move ioctl perm check closer to functi ..., Linus Torvalds, (Tue Apr 29, 12:02 pm)
Re: [00/37] 2.6.25-stable review, Andre Noll, (Wed Apr 30, 12:58 am)
Re: [stable] [27/37] tehuti: move ioctl perm check closer ..., Greg KH, (Wed Apr 30, 9:39 am)
Re: [stable] [00/37] 2.6.25-stable review, Chris Wright, (Wed Apr 30, 5:25 pm)