[168] in linux-scsi channel archive
sr_ioctl and scsi_ioctl flaws
daemon@ATHENA.MIT.EDU (Heiko Eissfeldt)
Sun May 14 10:32:33 1995
From: heiko@colossus.escape.de (Heiko Eissfeldt)
To: linux-scsi@vger.rutgers.edu
Date: Sun, 14 May 1995 11:48:55 +0200 (MET DST)
Cc: eric@aib.com, drew@COLORADO.Edu
Hi Drew, Eric and Linux users,
I checked the scsi code for verify_area return value checking and
found those lines:
--- scsi_ioctl.c_org Sun May 14 11:16:36 1995
+++ scsi_ioctl.c Sun May 14 11:19:36 1995
@@ -42,8 +42,8 @@
slen = strlen(string);
if (len > slen)
len = slen + 1;
- verify_area(VERIFY_WRITE, buffer, len);
- memcpy_tofs (buffer, string, len);
+ if (!verify_area(VERIFY_WRITE, buffer, len))
+ memcpy_tofs (buffer, string, len);
}
}
return temp;
@@ -241,6 +241,7 @@
*/
int scsi_ioctl (Scsi_Device *dev, int cmd, void *arg)
{
+ int err;
char scsi_cmd[12];
/* No idea how this happens.... */
@@ -248,10 +249,10 @@
switch (cmd) {
case SCSI_IOCTL_GET_IDLUN:
- verify_area(VERIFY_WRITE, (void *) arg, sizeof(int));
- put_fs_long(dev->id + (dev->lun << 8) +
+ err = verify_area(VERIFY_WRITE, (void *) arg, sizeof(int));
+ if (!err) put_fs_long(dev->id + (dev->lun << 8) +
(dev->host->host_no << 16), (unsigned long *) arg);
- return 0;
+ return err;
case SCSI_IOCTL_TAGGED_ENABLE:
if(!suser()) return -EACCES;
if(!dev->tagged_supported) return -EINVAL;
--- sr_ioctl.c_org Sun May 14 11:16:24 1995
+++ sr_ioctl.c Sun May 14 11:21:53 1995
@@ -206,7 +206,9 @@
struct cdrom_tocentry tocentry;
char * buffer;
- verify_area (VERIFY_READ, (void *) arg, sizeof (struct cdrom_tocentry));
+ err = verify_area (VERIFY_READ, (void *) arg, sizeof (struct cdrom_tocentry));
+ if (err)
+ return err;
memcpy_fromfs (&tocentry, (void *) arg, sizeof (struct cdrom_tocentry));
sr_cmd[0] = SCMD_READ_TOC;
@@ -278,7 +280,9 @@
char * buffer, * mask;
struct cdrom_volctrl volctrl;
- verify_area (VERIFY_READ, (void *) arg, sizeof (struct cdrom_volctrl));
+ err = verify_area (VERIFY_READ, (void *) arg, sizeof (struct cdrom_volctrl));
+ if (err)
+ return err;
memcpy_fromfs (&volctrl, (void *) arg, sizeof (struct cdrom_volctrl));
/* First we get the current params so we can just twiddle the volume */
Cheers, Heiko
