提交 6a029a90 编写于 作者: A Al Viro 提交者: Linus Torvalds

[PATCH] mmaper_kern.c fixes [buffer overruns]

 - copy_from_user() can fail; ->write() must check its return value.

 - severe buffer overruns both in ->read() and ->write() - lseek to the
   end (i.e.  to mmapper_size) and

	if (count + *ppos > mmapper_size)
		count = count + *ppos - mmapper_size;

   will do absolutely nothing.  Then it will call

	copy_to_user(buf,&v_buf[*ppos],count);

   with obvious results (similar for ->write()).

   Fixed by turning read to simple_read_from_buffer() and by doing
   normal limiting of count in ->write().

 - gratitious lock_kernel() in ->mmap() - it's useless there.

 - lots of gratuitous includes.
Signed-off-by: NAl Viro <viro@parcelfarce.linux.theplanet.co.uk>
Signed-off-by: NLinus Torvalds <torvalds@osdl.org>
上级 36676bcb
...@@ -9,19 +9,11 @@ ...@@ -9,19 +9,11 @@
* *
*/ */
#include <linux/types.h> #include <linux/init.h>
#include <linux/kdev_t.h>
#include <linux/time.h>
#include <linux/devfs_fs_kernel.h>
#include <linux/module.h> #include <linux/module.h>
#include <linux/mm.h> #include <linux/mm.h>
#include <linux/slab.h>
#include <linux/init.h>
#include <linux/smp_lock.h>
#include <linux/miscdevice.h> #include <linux/miscdevice.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/irq.h>
#include <asm/pgtable.h>
#include "mem_user.h" #include "mem_user.h"
#include "user_util.h" #include "user_util.h"
...@@ -31,35 +23,22 @@ static unsigned long p_buf = 0; ...@@ -31,35 +23,22 @@ static unsigned long p_buf = 0;
static char *v_buf = NULL; static char *v_buf = NULL;
static ssize_t static ssize_t
mmapper_read(struct file *file, char *buf, size_t count, loff_t *ppos) mmapper_read(struct file *file, char __user *buf, size_t count, loff_t *ppos)
{ {
if(*ppos > mmapper_size) return simple_read_from_buffer(buf, count, ppos, v_buf, mmapper_size);
return -EINVAL;
if(count + *ppos > mmapper_size)
count = count + *ppos - mmapper_size;
if(count < 0)
return -EINVAL;
copy_to_user(buf,&v_buf[*ppos],count);
return count;
} }
static ssize_t static ssize_t
mmapper_write(struct file *file, const char *buf, size_t count, loff_t *ppos) mmapper_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
{ {
if(*ppos > mmapper_size) if (*ppos > mmapper_size)
return -EINVAL; return -EINVAL;
if(count + *ppos > mmapper_size) if (count > mmapper_size - *ppos)
count = count + *ppos - mmapper_size; count = mmapper_size - *ppos;
if(count < 0)
return -EINVAL;
copy_from_user(&v_buf[*ppos],buf,count); if (copy_from_user(&v_buf[*ppos], buf, count))
return -EFAULT;
return count; return count;
} }
...@@ -77,7 +56,6 @@ mmapper_mmap(struct file *file, struct vm_area_struct * vma) ...@@ -77,7 +56,6 @@ mmapper_mmap(struct file *file, struct vm_area_struct * vma)
int ret = -EINVAL; int ret = -EINVAL;
int size; int size;
lock_kernel();
if (vma->vm_pgoff != 0) if (vma->vm_pgoff != 0)
goto out; goto out;
...@@ -92,7 +70,6 @@ mmapper_mmap(struct file *file, struct vm_area_struct * vma) ...@@ -92,7 +70,6 @@ mmapper_mmap(struct file *file, struct vm_area_struct * vma)
goto out; goto out;
ret = 0; ret = 0;
out: out:
unlock_kernel();
return ret; return ret;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册