My last word on copy_to_user

Michael Elizabeth Chastain (mec@shout.net)
Sat, 24 Jan 1998 00:12:00 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Trevor Johnson: "Re: More 2.1.81 compile errors(with fix)"
Previous message: Michael Elizabeth Chastain: "Re: PATCH: xconfig bug (still there in 2.1.81)"
Next in thread: Bill Hawes: "Re: My last word on copy_to_user"
Maybe reply: Bill Hawes: "Re: My last word on copy_to_user"

Hi guys,

Here is a list of places in 2.1.80 that call copy_to_user and expect
it to return -EFAULT, or a negative number, on error. These callers
are wrong.

I think most, or all, of these places will work correctly as long
as the addresses are supplied are valid. In that case copy_to_user
returns 0 and every caller accepts 0 as a sign of success.

For invalid addresses, the caller is likely to see strange effects,
such as an unexpected return value. But I don't believe anyone
could subvert this and produce a security breach. It would be good
for these callers to handle invalid addresses correctly but it's
not security-threatening.

Amazingly, the PPC _implementation_ of copy_to_user follows the
-EFAULT / 0 convention. This is more important to fix.

And that's the last out of me on this topic for a while. Whew.

Michael Chastain
<mailto:mec@shout.net>
"love without fear'

copy_to_user
osf_sigpending arch/alpha/kernel/signal.c
save_v86_state arch/i386/kernel/vm86.c
sys32_newuname arch/sparc64/kernel/sys_sparc32.c
fd_ioctl drivers/block/amiflop.c
floppy_ioctl drivers/block/swim3.c
IOCTL_OUT drivers/cdrom/cdrom.c
hfmodem_ioctl drivers/char/hfmodem/modem.c
read_mem drivers/char/mem.c
softdog_ioctl drivers/char/softdog.c
wdt_ioctl drivers/char/wdt.c
capi_read drivers/isdn/avmb1/capi.c
icn_command drivers/isdn/icn/icn.c
isdn_ioctl drivers/isdn/isdn_common.c
isdn_net_getphones drivers/isdn/isdn_net.c
set_arg drivers/isdn/isdn_ppp.c
isdn_ppp_read drivers/isdn/isdn_ppp.c
isdn_ppp_dev_ioctl_stats drivers/isdn/isdn_ppp.c
isdn_ppp_dev_ioctl drivers/isdn/isdn_ppp.c
sc_ioctl drivers/isdn/sc/ioctl.c
get_serial_info drivers/macintosh/macserial.c
ppp_tty_ioctl drivers/net/ppp.c
ppp_dev_ioctl_version drivers/net/ppp.c
ppp_dev_ioctl_stats drivers/net/ppp.c
ppp_dev_ioctl_comp_stats drivers/net/ppp.c
flash_read drivers/sbus/char/flash.c
openprom_bsd_ioctl drivers/sbus/char/openprom.c
get_serial_info drivers/sgi/char/sgiserial.c
dma_ioctl drivers/sound/audio.c
IOCTL_TO_USER drivers/sound/lowlevel/awe_compat.h
copy_to_user include/asm-ppc/uaccess.h
copy_to_user include/linux/isdnif.h
sys_rt_sigpending kernel/signal.c
sys_sigpending kernel/signal.c
put_cmsg net/core/scm.c

Next message: Trevor Johnson: "Re: More 2.1.81 compile errors(with fix)"
Previous message: Michael Elizabeth Chastain: "Re: PATCH: xconfig bug (still there in 2.1.81)"
Next in thread: Bill Hawes: "Re: My last word on copy_to_user"
Maybe reply: Bill Hawes: "Re: My last word on copy_to_user"