Skip to content

Commit 79bc12a

Browse files
Al Virotorvalds
Al Viro
authored and
torvalds
committed
ecryptfs fixes
memcpy() from userland pointer is a Bad Thing(tm) Signed-off-by: Al Viro <[email protected]> Signed-off-by: Linus Torvalds <[email protected]>
1 parent 4ec7ffa commit 79bc12a

File tree

1 file changed

+12
-14
lines changed

1 file changed

+12
-14
lines changed

fs/ecryptfs/miscdev.c

+12-14
Original file line numberDiff line numberDiff line change
@@ -243,7 +243,6 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count,
243243
struct ecryptfs_daemon *daemon;
244244
struct ecryptfs_msg_ctx *msg_ctx;
245245
size_t packet_length_size;
246-
u32 counter_nbo;
247246
char packet_length[3];
248247
size_t i;
249248
size_t total_length;
@@ -328,20 +327,18 @@ ecryptfs_miscdev_read(struct file *file, char __user *buf, size_t count,
328327
"pending message\n", __func__, count, total_length);
329328
goto out_unlock_msg_ctx;
330329
}
331-
i = 0;
332-
buf[i++] = msg_ctx->type;
333-
counter_nbo = cpu_to_be32(msg_ctx->counter);
334-
memcpy(&buf[i], (char *)&counter_nbo, 4);
335-
i += 4;
330+
rc = -EFAULT;
331+
if (put_user(msg_ctx->type, buf))
332+
goto out_unlock_msg_ctx;
333+
if (put_user(cpu_to_be32(msg_ctx->counter), (__be32 __user *)(buf + 1)))
334+
goto out_unlock_msg_ctx;
335+
i = 5;
336336
if (msg_ctx->msg) {
337-
memcpy(&buf[i], packet_length, packet_length_size);
337+
if (copy_to_user(&buf[i], packet_length, packet_length_size))
338+
goto out_unlock_msg_ctx;
338339
i += packet_length_size;
339-
rc = copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size);
340-
if (rc) {
341-
printk(KERN_ERR "%s: copy_to_user returned error "
342-
"[%d]\n", __func__, rc);
340+
if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
343341
goto out_unlock_msg_ctx;
344-
}
345342
i += msg_ctx->msg_size;
346343
}
347344
rc = i;
@@ -452,7 +449,8 @@ static ssize_t
452449
ecryptfs_miscdev_write(struct file *file, const char __user *buf,
453450
size_t count, loff_t *ppos)
454451
{
455-
u32 counter_nbo, seq;
452+
__be32 counter_nbo;
453+
u32 seq;
456454
size_t packet_size, packet_size_length, i;
457455
ssize_t sz = 0;
458456
char *data;
@@ -485,7 +483,7 @@ ecryptfs_miscdev_write(struct file *file, const char __user *buf,
485483
count);
486484
goto out_free;
487485
}
488-
memcpy((char *)&counter_nbo, &data[i], 4);
486+
memcpy(&counter_nbo, &data[i], 4);
489487
seq = be32_to_cpu(counter_nbo);
490488
i += 4;
491489
rc = ecryptfs_parse_packet_length(&data[i], &packet_size,

0 commit comments

Comments
 (0)