From b9b64e6e89fc5a6ef220747115c5b7764614ca3f Mon Sep 17 00:00:00 2001
From: "David S. Miller" <davem@sunset.davemloft.net>
Date: Mon, 18 Sep 2006 01:47:13 -0700
Subject: [PATCH 1/2] [OPENPROMIO]: Handle current_node being NULL correctly.
If the user tries to traverse to the next node of the
last node, we get NULL in current_node and a zero phandle
returned. That's fine, but if the user tries to obtain
properties in that state, we try to dereference a NULL
pointer in the downcall to the of_*() routines.
So protect against that.
Signed-off-by: David S. Miller <davem@davemloft.net>
---
drivers/sbus/char/openprom.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/drivers/sbus/char/openprom.c b/drivers/sbus/char/openprom.c
index 293bb2fdb1d5..2f698763ba5d 100644
--- a/drivers/sbus/char/openprom.c
+++ b/drivers/sbus/char/openprom.c
@@ -145,8 +145,9 @@ static int opromgetprop(void __user *argp, struct device_node *dp, struct openpr
void *pval;
int len;
- pval = of_get_property(dp, op->oprom_array, &len);
- if (!pval || len <= 0 || len > bufsize)
+ if (!dp ||
+ !(pval = of_get_property(dp, op->oprom_array, &len)) ||
+ len <= 0 || len > bufsize)
return copyout(argp, op, sizeof(int));
memcpy(op->oprom_array, pval, len);
@@ -161,6 +162,8 @@ static int opromnxtprop(void __user *argp, struct device_node *dp, struct openpr
struct property *prop;
int len;
+ if (!dp)
+ return copyout(argp, op, sizeof(int));
if (op->oprom_array[0] == '\0') {
prop = dp->properties;
if (!prop)
@@ -266,9 +269,13 @@ static int oprompci2node(void __user *argp, struct device_node *dp, struct openp
static int oprompath2node(void __user *argp, struct device_node *dp, struct openpromio *op, int bufsize, DATA *data)
{
+ phandle ph = 0;
+
dp = of_find_node_by_path(op->oprom_array);
+ if (dp)
+ ph = dp->node;
data->current_node = dp;
- *((int *)op->oprom_array) = dp->node;
+ *((int *)op->oprom_array) = ph;
op->oprom_size = sizeof(int);
return copyout(argp, op, bufsize + sizeof(int));
From b9c54f91a48146778fe91423d4d467a0ee8c719b Mon Sep 17 00:00:00 2001
From: Andy Walker <andy@puszczka.com>
Date: Mon, 18 Sep 2006 07:11:36 -0700
Subject: [PATCH 2/2] [SPARC]: Fix regression in sys_getdomainname()
This patch corrects the buffer length checking in the
sys_getdomainname() implementation for sparc/sparc64.
Signed-off-by: Andy Walker <andy@puszczka.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
arch/sparc/kernel/sys_sparc.c | 10 ++++++----
arch/sparc64/kernel/sys_sparc.c | 10 ++++++----
2 files changed, 12 insertions(+), 8 deletions(-)
diff --git a/arch/sparc/kernel/sys_sparc.c b/arch/sparc/kernel/sys_sparc.c
index 94ff58c9d4a9..896863fb208a 100644
--- a/arch/sparc/kernel/sys_sparc.c
+++ b/arch/sparc/kernel/sys_sparc.c
@@ -470,19 +470,21 @@ asmlinkage int sys_getdomainname(char __user *name, int len)
{
int nlen, err;
- if (len < 0 || len > __NEW_UTS_LEN)
+ if (len < 0)
return -EINVAL;
down_read(&uts_sem);
nlen = strlen(system_utsname.domainname) + 1;
- if (nlen < len)
- len = nlen;
+ err = -EINVAL;
+ if (nlen > len)
+ goto out;
err = -EFAULT;
- if (!copy_to_user(name, system_utsname.domainname, len))
+ if (!copy_to_user(name, system_utsname.domainname, nlen))
err = 0;
+out:
up_read(&uts_sem);
return err;
}
diff --git a/arch/sparc64/kernel/sys_sparc.c b/arch/sparc64/kernel/sys_sparc.c
index bf5f14ee73de..c608c947e6c3 100644
--- a/arch/sparc64/kernel/sys_sparc.c
+++ b/arch/sparc64/kernel/sys_sparc.c
@@ -707,19 +707,21 @@ asmlinkage long sys_getdomainname(char __user *name, int len)
{
int nlen, err;
- if (len < 0 || len > __NEW_UTS_LEN)
+ if (len < 0)
return -EINVAL;
down_read(&uts_sem);
nlen = strlen(system_utsname.domainname) + 1;
- if (nlen < len)
- len = nlen;
+ err = -EINVAL;
+ if (nlen > len)
+ goto out;
err = -EFAULT;
- if (!copy_to_user(name, system_utsname.domainname, len))
+ if (!copy_to_user(name, system_utsname.domainname, nlen))
err = 0;
+out:
up_read(&uts_sem);
return err;
}