net/compat: Fix minor information leak in siocdevprivate_ioctl() We don't need to check that ifr_data itself is a valid user pointer, but we should check &ifr_data is. Thankfully the copy of ifr_name is checked, so this can only leak a few bytes from immediately above the user address limit. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>

commit: 417c3522b3202dacce4873cfb0190459fbce95c5 [log] [tgz]
author: Ben Hutchings <bhutchings@solarflare.com> Mon Nov 18 17:04:58 2013 +0000
committer: Ben Hutchings <bhutchings@solarflare.com> Mon Nov 18 23:50:12 2013 +0000
tree: d5b85dd1d60098c6231bfef3af00a4a176fb2a70
parent: e1bd1dc207dae92cdb5b424226f89d1b4e4bb182 [diff] [blame]
diff --git a/net/socket.c b/net/socket.c
index c226ace..fbb6ec1 100644
--- a/net/socket.c
+++ b/net/socket.c

@@ -3015,19 +3015,16 @@
 	if (copy_from_user(&tmp_buf[0], &(u_ifreq32->ifr_ifrn.ifrn_name[0]),
 			   IFNAMSIZ))
 		return -EFAULT;
-	if (__get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
+	if (get_user(data32, &u_ifreq32->ifr_ifru.ifru_data))
 		return -EFAULT;
 	data64 = compat_ptr(data32);
 
 	u_ifreq64 = compat_alloc_user_space(sizeof(*u_ifreq64));
 
-	/* Don't check these user accesses, just let that get trapped
-	 * in the ioctl handler instead.
-	 */
 	if (copy_to_user(&u_ifreq64->ifr_ifrn.ifrn_name[0], &tmp_buf[0],
 			 IFNAMSIZ))
 		return -EFAULT;
-	if (__put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
+	if (put_user(data64, &u_ifreq64->ifr_ifru.ifru_data))
 		return -EFAULT;
 
 	return dev_ioctl(net, cmd, u_ifreq64);
commit	417c3522b3202dacce4873cfb0190459fbce95c5	[log] [tgz]
author	Ben Hutchings <bhutchings@solarflare.com>	Mon Nov 18 17:04:58 2013 +0000
committer	Ben Hutchings <bhutchings@solarflare.com>	Mon Nov 18 23:50:12 2013 +0000
tree	d5b85dd1d60098c6231bfef3af00a4a176fb2a70
parent	e1bd1dc207dae92cdb5b424226f89d1b4e4bb182 [diff] [blame]