aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Miller <davem@davemloft.net>2007-09-11 18:23:50 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-09-11 20:21:20 -0400
commitf629307c857c030d5a3dd777fee37c8bb395e171 (patch)
tree872077db1924672104f8e1267f53bfa70f79b13c
parent179c85ea53bef807621f335767e41e23f86f01df (diff)
tty: termios locking functions break with new termios type
I ran into a few problems. n_tty_ioctl() for instance: drivers/char/tty_ioctl.c:799: error: $,1rxstruct termios$,1ry has no member named $,1rxc_ispeed$,1ry This is calling the copy interface that is supposed to be using a termios2 when the new interfaces are defined, however: case TIOCGLCKTRMIOS: if (kernel_termios_to_user_termios((struct termios __user *)arg, real_tty->termios_locked)) return -EFAULT; return 0; This is going to write over the end of the userspace structure by a few bytes, and wasn't caught by you yet because the i386 implementation is simply copy_to_user() which does zero type checking. Signed-off-by: Alan Cox <alan@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/char/tty_ioctl.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/char/tty_ioctl.c b/drivers/char/tty_ioctl.c
index 3423e9ee6481..4a8969cef315 100644
--- a/drivers/char/tty_ioctl.c
+++ b/drivers/char/tty_ioctl.c
@@ -796,14 +796,14 @@ int n_tty_ioctl(struct tty_struct * tty, struct file * file,
796 retval = inq_canon(tty); 796 retval = inq_canon(tty);
797 return put_user(retval, (unsigned int __user *) arg); 797 return put_user(retval, (unsigned int __user *) arg);
798 case TIOCGLCKTRMIOS: 798 case TIOCGLCKTRMIOS:
799 if (kernel_termios_to_user_termios((struct termios __user *)arg, real_tty->termios_locked)) 799 if (kernel_termios_to_user_termios_1((struct termios __user *)arg, real_tty->termios_locked))
800 return -EFAULT; 800 return -EFAULT;
801 return 0; 801 return 0;
802 802
803 case TIOCSLCKTRMIOS: 803 case TIOCSLCKTRMIOS:
804 if (!capable(CAP_SYS_ADMIN)) 804 if (!capable(CAP_SYS_ADMIN))
805 return -EPERM; 805 return -EPERM;
806 if (user_termios_to_kernel_termios(real_tty->termios_locked, (struct termios __user *) arg)) 806 if (user_termios_to_kernel_termios_1(real_tty->termios_locked, (struct termios __user *) arg))
807 return -EFAULT; 807 return -EFAULT;
808 return 0; 808 return 0;
809 809