This patch fixes a case where a structure field is not initialized before the structureis copied to user level.
The semantic match that finds this problem is as follows (http://coccinelle.lip6.fr/). It uses other references to the same structure in the current file to find the set of fields that should be initialized.
@a disable decl_init@ identifier x,x1; type T,T1; expression e,sz; @@
T x; ... when any copy_to_user(e,&x,sz)
@r@ a.T y; identifier f,f1,f2; @@
( y.f1[...] | y.f1.f2 | y.f )
@b@ identifier a.x,r.f; type a.T; expression e,e1,sz; position p,p0; @@
T x@p0; ... when != x.f = e1 when != &x when != &(x.f) when != get_user(x.f,...) when != __get_user(x.f,...) when != x = e1 copy_to_user@p(e,&x,sz)
@script:ocaml@ t << a.T; x << a.x; f << r.f; p << b.p; @@
Printf.printf "%s:%d: %s %s missing %s\n" (List.hd p).file (List.hd p).line t x f
From: Julia Lawall Julia.Lawall@lip6.fr
The c32 structure is allocated on the stack and its idx field is not initialized before copying it to user level. This patch takes the value from the result of the ioctl, as done for the other fields.
Signed-off-by: Julia Lawall Julia.Lawall@lip6.fr
--- An alternative would be to change the earlier code
if (get_user(idx, &argp->idx)) return -EFAULT;
to write into the c32 structure, rather than into the local idx variable. This would be more similar to what is done in compat_drm_version.
drivers/gpu/drm/drm_ioc32.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c index ddd70db..637fcc3 100644 --- a/drivers/gpu/drm/drm_ioc32.c +++ b/drivers/gpu/drm/drm_ioc32.c @@ -315,7 +315,8 @@ static int compat_drm_getclient(struct file *file, unsigned int cmd, if (err) return err;
- if (__get_user(c32.auth, &client->auth) + if (__get_user(c32.idx, &client->idx) + || __get_user(c32.auth, &client->auth) || __get_user(c32.pid, &client->pid) || __get_user(c32.uid, &client->uid) || __get_user(c32.magic, &client->magic)
dri-devel@lists.freedesktop.org
-
Julia Lawall