X-Spam-Checker-Version: SpamAssassin 3.3.0-rupdated (updated) on oss.sgi.com X-Spam-Level: X-Spam-Status: No, score=-2.5 required=5.0 tests=BAYES_00,J_CHICKENPOX_66 autolearn=unavailable version=3.3.0-rupdated Received: from cuda.sgi.com (cuda3.sgi.com [192.48.176.15]) by oss.sgi.com (8.12.11.20060308/8.12.11/SuSE Linux 0.7) with ESMTP id mAJ4nJDv029919 for ; Tue, 18 Nov 2008 22:49:19 -0600 X-ASG-Debug-ID: 1227070151-08c001350000-NocioJ X-Barracuda-URL: http://cuda.sgi.com:80/cgi-bin/mark.cgi Received: from sandeen.net (localhost [127.0.0.1]) by cuda.sgi.com (Spam Firewall) with ESMTP id 18CC6159E761 for ; Tue, 18 Nov 2008 20:49:11 -0800 (PST) Received: from sandeen.net (sandeen.net [209.173.210.139]) by cuda.sgi.com with ESMTP id GMKOSJwF5Kii0jcz for ; Tue, 18 Nov 2008 20:49:11 -0800 (PST) Received: by sandeen.net (Postfix, from userid 500) id 77687A840A4; Tue, 18 Nov 2008 22:49:08 -0600 (CST) Message-Id: <20081119044908.158054231@sandeen.net> References: <20081119044401.573365619@sandeen.net> User-Agent: quilt/0.46-1 Date: Tue, 18 Nov 2008 22:44:03 -0600 From: sandeen@sandeen.net To: xfs@oss.sgi.com Cc: hch@infradead.org, david@fromorbit.com X-ASG-Orig-Subj: [patch 02/11] Fix the compat XFS_IOC_FSGEOMETRY_V1 ioctl Subject: [patch 02/11] Fix the compat XFS_IOC_FSGEOMETRY_V1 ioctl Content-Disposition: inline; filename=fix_compat_fsgeometry_v1 X-Barracuda-Connect: sandeen.net[209.173.210.139] X-Barracuda-Start-Time: 1227070158 X-Barracuda-Bayes: INNOCENT GLOBAL 0.0000 1.0000 -2.0210 X-Barracuda-Virus-Scanned: by cuda.sgi.com at sgi.com X-Barracuda-Spam-Score: -2.02 X-Barracuda-Spam-Status: No, SCORE=-2.02 using per-user scores of TAG_LEVEL=2.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.1 tests=NO_REAL_NAME X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.1.10592 Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------- 0.00 NO_REAL_NAME From: does not include a real name This ioctl copies kernel data to the user, so we must have a compat helper to copy it out to the 32-bit structure; the current code had it backward, and translated the 32-bit arg to 64-bit, and called the native ioctl, which copied it back as if it were talking to 64-bit userspace. Because the 64-bit arg has padding on the end on intel, I think this risked corruption in userspace.. Signed-off-by: Eric Sandeen -- Index: linux-2.6-xfs/fs/xfs/linux-2.6/xfs_ioctl32.c =================================================================== --- linux-2.6-xfs.orig/fs/xfs/linux-2.6/xfs_ioctl32.c +++ linux-2.6-xfs/fs/xfs/linux-2.6/xfs_ioctl32.c @@ -44,6 +44,7 @@ #include "xfs_error.h" #include "xfs_dfrag.h" #include "xfs_vnodeops.h" +#include "xfs_fsops.h" #include "xfs_ioctl32.h" #define _NATIVE_IOC(cmd, type) \ @@ -68,15 +69,22 @@ xfs_ioctl32_flock_copyin(unsigned long a return (unsigned long)p; } -STATIC unsigned long -xfs_ioctl32_geom_v1_copyin(unsigned long arg) +/* This handles a copy-out, where the 32-bit user struct lacks padding */ +STATIC int +xfs_ioc_fsgeometry_v1_compat( + xfs_mount_t *mp, + void __user *arg) { - compat_xfs_fsop_geom_v1_t __user *p32 = (void __user *)arg; - xfs_fsop_geom_v1_t __user *p = compat_alloc_user_space(sizeof(*p)); + xfs_fsop_geom_v1_t fsgeo; + int error; - if (copy_in_user(p, p32, sizeof(*p32))) + error = xfs_fs_geometry(mp, (xfs_fsop_geom_t *)&fsgeo, 3); + if (error) + return -error; + + if (copy_to_user(arg, &fsgeo, sizeof(struct compat_xfs_fsop_geom_v1))) return -XFS_ERROR(EFAULT); - return (unsigned long)p; + return 0; } STATIC int @@ -300,9 +308,8 @@ xfs_compat_ioctl( cmd = _NATIVE_IOC(cmd, struct xfs_flock64); break; case XFS_IOC_FSGEOMETRY_V1_32: - arg = xfs_ioctl32_geom_v1_copyin(arg); - cmd = _NATIVE_IOC(cmd, struct xfs_fsop_geom_v1); - break; + return xfs_ioc_fsgeometry_v1_compat(XFS_I(inode)->i_mount, + (void __user*)arg); #else /* These are handled fine if no alignment issues */ case XFS_IOC_ALLOCSP: --