[PATCH] RTAS syscall NULL ptr deref (2.6)
Benjamin Herrenschmidt
benh at kernel.crashing.org
Fri Feb 27 13:35:54 EST 2004
On Fri, 2004-02-27 at 11:22, John Rose wrote:
> The patch below fixes a NULL ptr deref in the RTAS syscall on 2.6. I
> pushed it already, but send comments if you want :)
Can you quickly explain how the code could do a NULL ptr deref in
the first place ? (and how taht's fixed). The patch looks fine
but I don't see how it fixes a NULL ptr :) And Linus is rather
picky about patch descriptions not matching actual content...
Ben.
> Thanks-
> John
>
> diff -Nru a/arch/ppc64/kernel/rtas.c b/arch/ppc64/kernel/rtas.c
> --- a/arch/ppc64/kernel/rtas.c Thu Feb 26 16:30:25 2004
> +++ b/arch/ppc64/kernel/rtas.c Thu Feb 26 16:30:25 2004
> @@ -426,6 +426,7 @@
> {
> struct rtas_args args;
> unsigned long flags;
> + int nargs;
>
> if (!capable(CAP_SYS_ADMIN))
> return -EPERM;
> @@ -433,14 +434,15 @@
> if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0)
> return -EFAULT;
>
> - if (args.nargs > ARRAY_SIZE(args.args)
> + nargs = args.nargs;
> + if (nargs > ARRAY_SIZE(args.args)
> || args.nret > ARRAY_SIZE(args.args)
> - || args.nargs + args.nret > ARRAY_SIZE(args.args))
> + || nargs + args.nret > ARRAY_SIZE(args.args))
> return -EINVAL;
>
> /* Copy in args. */
> if (copy_from_user(args.args, uargs->args,
> - args.nargs * sizeof(rtas_arg_t)) != 0)
> + nargs * sizeof(rtas_arg_t)) != 0)
> return -EFAULT;
>
> spin_lock_irqsave(&rtas.lock, flags);
> @@ -449,14 +451,15 @@
> enter_rtas((void *)__pa((unsigned long)&get_paca()->xRtas));
> args = get_paca()->xRtas;
>
> + args.rets = (rtas_arg_t *)&(args.args[nargs]);
> if (args.rets[0] == -1)
> log_rtas_error(&args);
>
> spin_unlock_irqrestore(&rtas.lock, flags);
>
> /* Copy out args. */
> - if (copy_to_user(uargs->args + args.nargs,
> - args.args + args.nargs,
> + if (copy_to_user(uargs->args + nargs,
> + args.args + nargs,
> args.nret * sizeof(rtas_arg_t)) != 0)
> return -EFAULT;
>
>
--
Benjamin Herrenschmidt <benh at kernel.crashing.org>
** Sent via the linuxppc64-dev mail list. See http://lists.linuxppc.org/
More information about the Linuxppc64-dev
mailing list