Hi,
Looking through i2c-dev.c, I noticed the following code, which appears
to be wrong:
/* copy user space data to kernel space. */
tmp = kmalloc(count,GFP_KERNEL);
if (tmp==NULL)
return -ENOMEM;
#ifdef DEBUG
printk("i2c-dev,o: i2c-%d reading %d bytes.\n",MINOR(inode->i_rdev),count);
#endif
ret = i2c_master_recv(client,tmp,count);
copy_to_user(buf,tmp,count);
kfree(tmp);
return ret;
for the following reasons:
1. If i2c_master_recv does not write to `tmp' but returns an error,
copy_to_user will copy uninitialised kernel memory to the user,
possibly from another user process - security concern.
2. copy_to_user may fault, and if this is the case, the user will
never know (the user will not see the EFAULT error code returned).
There are more instances of point 2, including some with copy_from_user.
_____
|_____| ------------------------------------------------- ---+---+-
| | Russell King rmk@arm.linux.org.uk --- ---
| | | | http://www.arm.linux.org.uk/~rmk/aboutme.html / / |
| +-+-+ --- -+-
/ | THE developer of ARM Linux |+| /|\
/ | | | --- |
+-+-+ ------------------------------------------------- /\\\ |
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Jan 23 2000 - 21:00:27 EST