[PATCH] new sysctl checking accesses userspace directly

Petr Vandrovec (vandrove@vc.cvut.cz)
Sun, 13 Jul 2003 15:35:40 +0200


Hi Linus,
recent change from Andi breaks here: tmp.name is pointer, not
array in __sysctl_args, and so it is better to access it through
copy_from_user instead of directly.

With patch below it does not crash with unhandled kernel paging
request anymore.
Thanks,
Petr Vandrovec
vandrove@vc.cvut.cz

--- linux/kernel/sysctl.c 2003-07-13 01:37:39.000000000 +0200
+++ linux/kernel/sysctl.c 2003-07-13 15:15:06.000000000 +0200
@@ -848,17 +848,25 @@
asmlinkage long sys_sysctl(struct __sysctl_args __user *args)
{
struct __sysctl_args tmp;
+ int name[2];
int error;

if (copy_from_user(&tmp, args, sizeof(tmp)))
return -EFAULT;

- if (tmp.nlen != 2 || tmp.name[0] != CTL_KERN ||
- tmp.name[1] != KERN_VERSION) {
+ if (tmp.nlen != 2 || copy_from_user(name, tmp.name, sizeof(name)) ||
+ name[0] != CTL_KERN || name[1] != KERN_VERSION) {
int i;
printk(KERN_INFO "%s: numerical sysctl ", current->comm);
- for (i = 0; i < tmp.nlen; i++)
- printk("%d ", tmp.name[i]);
+ for (i = 0; i < tmp.nlen; i++) {
+ int n;
+
+ if (get_user(n, tmp.name+i)) {
+ printk("? ");
+ } else {
+ printk("%d ", n);
+ }
+ }
printk("is obsolete.\n");
}

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/