Patchwork [lucid,lucid/fsl-imx51,maverick,maverick/ti-omap4,natty,natty/ti-omap4,oneiric,precise,CVE,2/2] regset: Return -EFAULT, not -EIO, on host-side memory fault

login
register
mail settings
Submitter Andy Whitcroft
Date March 8, 2012, 4:08 p.m.
Message ID <1331222934-18007-3-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/145565/
State New
Headers show

Comments

Andy Whitcroft - March 8, 2012, 4:08 p.m.
From: "H. Peter Anvin" <hpa@zytor.com>

There is only one error code to return for a bad user-space buffer
pointer passed to a system call in the same address space as the
system call is executed, and that is EFAULT.  Furthermore, the
low-level access routines, which catch most of the faults, return
EFAULT already.

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Roland McGrath <roland@hack.frob.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

(cherry picked from commit 5189fa19a4b2b4c3bec37c3a019d446148827717)
CVE-2012-1097
BugLink: http://bugs.launchpad.net/bugs/949905
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 include/linux/regset.h |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

Patch

diff --git a/include/linux/regset.h b/include/linux/regset.h
index 5150fd1..686f373 100644
--- a/include/linux/regset.h
+++ b/include/linux/regset.h
@@ -339,7 +339,7 @@  static inline int copy_regset_to_user(struct task_struct *target,
 		return -EOPNOTSUPP;
 
 	if (!access_ok(VERIFY_WRITE, data, size))
-		return -EIO;
+		return -EFAULT;
 
 	return regset->get(target, regset, offset, size, NULL, data);
 }
@@ -365,7 +365,7 @@  static inline int copy_regset_from_user(struct task_struct *target,
 		return -EOPNOTSUPP;
 
 	if (!access_ok(VERIFY_READ, data, size))
-		return -EIO;
+		return -EFAULT;
 
 	return regset->set(target, regset, offset, size, NULL, data);
 }