[Bluetooth] Fix compat ioctl for BNEP, CMTP and HIDP

There exists no attempt do deal with the fact that a structure with a uint32_t followed by a pointer is going to be different for 32-bit and 64-bit userspace. Any 32-bit process trying to use it will be failing with -EFAULT if it's lucky; suffering from having data dumped at a random address if it's not. Signed-off-by: David Woodhouse <dwmw2@infradead.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
author: Marcel Holtmann <marcel@holtmann.org> 2006-10-15 11:30:22 -0400
committer: David S. Miller <davem@sunset.davemloft.net> 2006-10-16 02:14:27 -0400
commit: e9c5702e3c5558dade169949abd730173e87ef9c (patch)
tree: 58ec8dcd1497b51e1d6a447d8c4a34a0bd2f108d /net/bluetooth
parent: 39c850863d5e36e72ecf9bc3537ec717bcce97fd (diff)
3 files changed, 161 insertions, 17 deletions
diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c
index 28c55835422a..5d9d6f14b310 100644
--- a/net/bluetooth/bnep/sock.c
+++ b/net/bluetooth/bnep/sock.c
@@ -43,6 +43,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/init.h>
+#include <linux/compat.h>
 #include <net/sock.h>
 #include <asm/system.h>
@@ -146,24 +147,56 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
        return 0;
 }
+#ifdef CONFIG_COMPAT
+static int bnep_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+{
+        if (cmd == BNEPGETCONNLIST) {
+                struct bnep_connlist_req cl;
+                uint32_t uci;
+                int err;
+                if (get_user(cl.cnum, (uint32_t __user *) arg) ||
+                                get_user(uci, (u32 __user *) (arg + 4)))
+                        return -EFAULT;
+                cl.ci = compat_ptr(uci);
+                if (cl.cnum <= 0)
+                        return -EINVAL;
+        
+                err = bnep_get_connlist(&cl);
+                if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
+                        err = -EFAULT;
+                return err;
+        }
+        return bnep_sock_ioctl(sock, cmd, arg);
+}
+#endif
 static const struct proto_ops bnep_sock_ops = {
-        .family     = PF_BLUETOOTH,
+        .family         = PF_BLUETOOTH,
-        .owner      = THIS_MODULE,
+        .owner          = THIS_MODULE,
-        .release    = bnep_sock_release,
+        .release        = bnep_sock_release,
-        .ioctl      = bnep_sock_ioctl,
+        .ioctl          = bnep_sock_ioctl,
-        .bind       = sock_no_bind,
+#ifdef CONFIG_COMPAT
-        .getname    = sock_no_getname,
+        .compat_ioctl   = bnep_sock_compat_ioctl,
-        .sendmsg    = sock_no_sendmsg,
+#endif
-        .recvmsg    = sock_no_recvmsg,
+        .bind           = sock_no_bind,
-        .poll       = sock_no_poll,
+        .getname        = sock_no_getname,
-        .listen     = sock_no_listen,
+        .sendmsg        = sock_no_sendmsg,
-        .shutdown   = sock_no_shutdown,
+        .recvmsg        = sock_no_recvmsg,
-        .setsockopt = sock_no_setsockopt,
+        .poll           = sock_no_poll,
-        .getsockopt = sock_no_getsockopt,
+        .listen         = sock_no_listen,
-        .connect    = sock_no_connect,
+        .shutdown       = sock_no_shutdown,
-        .socketpair = sock_no_socketpair,
+        .setsockopt     = sock_no_setsockopt,
-        .accept     = sock_no_accept,
+        .getsockopt     = sock_no_getsockopt,
-        .mmap       = sock_no_mmap
+        .connect        = sock_no_connect,
+        .socketpair     = sock_no_socketpair,
+        .accept         = sock_no_accept,
+        .mmap           = sock_no_mmap
 };
 static struct proto bnep_proto = {
diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c
index 10ad7fd91d83..0547edd57734 100644
--- a/net/bluetooth/cmtp/sock.c
+++ b/net/bluetooth/cmtp/sock.c
@@ -34,6 +34,7 @@
 #include <linux/socket.h>
 #include <linux/ioctl.h>
 #include <linux/file.h>
+#include <linux/compat.h>
 #include <net/sock.h>
 #include <linux/isdn/capilli.h>
@@ -137,11 +138,43 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
        return -EINVAL;
 }
+#ifdef CONFIG_COMPAT
+static int cmtp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+{
+        if (cmd == CMTPGETCONNLIST) {
+                struct cmtp_connlist_req cl;
+                uint32_t uci;
+                int err;
+                if (get_user(cl.cnum, (uint32_t __user *) arg) ||
+                                get_user(uci, (u32 __user *) (arg + 4)))
+                        return -EFAULT;
+                cl.ci = compat_ptr(uci);
+                if (cl.cnum <= 0)
+                        return -EINVAL;
+        
+                err = cmtp_get_connlist(&cl);
+                if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
+                        err = -EFAULT;
+                return err;
+        }
+        return cmtp_sock_ioctl(sock, cmd, arg);
+}
+#endif
 static const struct proto_ops cmtp_sock_ops = {
        .family         = PF_BLUETOOTH,
        .owner          = THIS_MODULE,
        .release        = cmtp_sock_release,
        .ioctl          = cmtp_sock_ioctl,
+#ifdef CONFIG_COMPAT
+        .compat_ioctl   = cmtp_sock_compat_ioctl,
+#endif
        .bind           = sock_no_bind,
        .getname        = sock_no_getname,
        .sendmsg        = sock_no_sendmsg,
diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c
index 099646e4e2ef..6242446aa270 100644
--- a/net/bluetooth/hidp/sock.c
+++ b/net/bluetooth/hidp/sock.c
@@ -35,6 +35,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/init.h>
+#include <linux/compat.h>
 #include <net/sock.h>
 #include "hidp.h"
@@ -143,11 +144,88 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
        return -EINVAL;
 }
+#ifdef CONFIG_COMPAT
+struct compat_hidp_connadd_req {
+        int   ctrl_sock;        // Connected control socket
+        int   intr_sock;        // Connteted interrupt socket
+        __u16 parser;
+        __u16 rd_size;
+        compat_uptr_t rd_data;
+        __u8  country;
+        __u8  subclass;
+        __u16 vendor;
+        __u16 product;
+        __u16 version;
+        __u32 flags;
+        __u32 idle_to;
+        char  name[128];
+};
+static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+{
+        if (cmd == HIDPGETCONNLIST) {
+                struct hidp_connlist_req cl;
+                uint32_t uci;
+                int err;
+                if (get_user(cl.cnum, (uint32_t __user *) arg) ||
+                                get_user(uci, (u32 __user *) (arg + 4)))
+                        return -EFAULT;
+                cl.ci = compat_ptr(uci);
+                if (cl.cnum <= 0)
+                        return -EINVAL;
+                err = hidp_get_connlist(&cl);
+                if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
+                        err = -EFAULT;
+                return err;
+        } else if (cmd == HIDPCONNADD) {
+                struct compat_hidp_connadd_req ca;
+                struct hidp_connadd_req __user *uca;
+                uca = compat_alloc_user_space(sizeof(*uca));
+                if (copy_from_user(&ca, (void *) arg, sizeof(ca)))
+                        return -EFAULT;
+                if (put_user(ca.ctrl_sock, &uca->ctrl_sock) ||
+                                put_user(ca.intr_sock, &uca->intr_sock) ||
+                                put_user(ca.parser, &uca->parser) ||
+                                put_user(ca.rd_size, &uca->parser) ||
+                                put_user(compat_ptr(ca.rd_data), &uca->rd_data) ||
+                                put_user(ca.country, &uca->country) ||
+                                put_user(ca.subclass, &uca->subclass) ||
+                                put_user(ca.vendor, &uca->vendor) ||
+                                put_user(ca.product, &uca->product) ||
+                                put_user(ca.version, &uca->version) ||
+                                put_user(ca.flags, &uca->flags) ||
+                                put_user(ca.idle_to, &uca->idle_to) ||
+                                copy_to_user(&uca->name[0], &ca.name[0], 128))
+                        return -EFAULT;
+                
+                arg = (unsigned long) uca;
+                /* Fall through. We don't actually write back any _changes_
+                   to the structure anyway, so there's no need to copy back
+                   into the original compat version */
+        }
+        return hidp_sock_ioctl(sock, cmd, arg);
+}
+#endif
 static const struct proto_ops hidp_sock_ops = {
        .family         = PF_BLUETOOTH,
        .owner          = THIS_MODULE,
        .release        = hidp_sock_release,
        .ioctl          = hidp_sock_ioctl,
+#ifdef CONFIG_COMPAT
+        .compat_ioctl   = hidp_sock_compat_ioctl,
+#endif
        .bind           = sock_no_bind,
        .getname        = sock_no_getname,
        .sendmsg        = sock_no_sendmsg,
author	Marcel Holtmann <marcel@holtmann.org>	2006-10-15 11:30:22 -0400
committer	David S. Miller <davem@sunset.davemloft.net>	2006-10-16 02:14:27 -0400
commit	e9c5702e3c5558dade169949abd730173e87ef9c (patch)
tree	58ec8dcd1497b51e1d6a447d8c4a34a0bd2f108d /net/bluetooth
parent	39c850863d5e36e72ecf9bc3537ec717bcce97fd (diff)

diff --git a/net/bluetooth/bnep/sock.c b/net/bluetooth/bnep/sock.c index 28c55835422a..5d9d6f14b310 100644 --- a/net/bluetooth/bnep/sock.c +++ b/net/bluetooth/bnep/sock.c
@@ -43,6 +43,7 @@
43	#include <linux/ioctl.h>	43	#include <linux/ioctl.h>
44	#include <linux/file.h>	44	#include <linux/file.h>
45	#include <linux/init.h>	45	#include <linux/init.h>
		46	#include <linux/compat.h>
46	#include <net/sock.h>	47	#include <net/sock.h>
47		48
48	#include <asm/system.h>	49	#include <asm/system.h>
@@ -146,24 +147,56 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
146	return 0;	147	return 0;
147	}	148	}
148		149
		150	#ifdef CONFIG_COMPAT
		151	static int bnep_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
		152	{
		153	if (cmd == BNEPGETCONNLIST) {
		154	struct bnep_connlist_req cl;
		155	uint32_t uci;
		156	int err;
		157
		158	if (get_user(cl.cnum, (uint32_t __user *) arg) \|\|
		159	get_user(uci, (u32 __user *) (arg + 4)))
		160	return -EFAULT;
		161
		162	cl.ci = compat_ptr(uci);
		163
		164	if (cl.cnum <= 0)
		165	return -EINVAL;
		166
		167	err = bnep_get_connlist(&cl);
		168
		169	if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
		170	err = -EFAULT;
		171
		172	return err;
		173	}
		174
		175	return bnep_sock_ioctl(sock, cmd, arg);
		176	}
		177	#endif
		178
149	static const struct proto_ops bnep_sock_ops = {	179	static const struct proto_ops bnep_sock_ops = {
150	.family = PF_BLUETOOTH,	180	.family = PF_BLUETOOTH,
151	.owner = THIS_MODULE,	181	.owner = THIS_MODULE,
152	.release = bnep_sock_release,	182	.release = bnep_sock_release,
153	.ioctl = bnep_sock_ioctl,	183	.ioctl = bnep_sock_ioctl,
154	.bind = sock_no_bind,	184	#ifdef CONFIG_COMPAT
155	.getname = sock_no_getname,	185	.compat_ioctl = bnep_sock_compat_ioctl,
156	.sendmsg = sock_no_sendmsg,	186	#endif
157	.recvmsg = sock_no_recvmsg,	187	.bind = sock_no_bind,
158	.poll = sock_no_poll,	188	.getname = sock_no_getname,
159	.listen = sock_no_listen,	189	.sendmsg = sock_no_sendmsg,
160	.shutdown = sock_no_shutdown,	190	.recvmsg = sock_no_recvmsg,
161	.setsockopt = sock_no_setsockopt,	191	.poll = sock_no_poll,
162	.getsockopt = sock_no_getsockopt,	192	.listen = sock_no_listen,
163	.connect = sock_no_connect,	193	.shutdown = sock_no_shutdown,
164	.socketpair = sock_no_socketpair,	194	.setsockopt = sock_no_setsockopt,
165	.accept = sock_no_accept,	195	.getsockopt = sock_no_getsockopt,
166	.mmap = sock_no_mmap	196	.connect = sock_no_connect,
		197	.socketpair = sock_no_socketpair,
		198	.accept = sock_no_accept,
		199	.mmap = sock_no_mmap
167	};	200	};
168		201
169	static struct proto bnep_proto = {	202	static struct proto bnep_proto = {


diff --git a/net/bluetooth/cmtp/sock.c b/net/bluetooth/cmtp/sock.c index 10ad7fd91d83..0547edd57734 100644 --- a/net/bluetooth/cmtp/sock.c +++ b/net/bluetooth/cmtp/sock.c
@@ -34,6 +34,7 @@
34	#include <linux/socket.h>	34	#include <linux/socket.h>
35	#include <linux/ioctl.h>	35	#include <linux/ioctl.h>
36	#include <linux/file.h>	36	#include <linux/file.h>
		37	#include <linux/compat.h>
37	#include <net/sock.h>	38	#include <net/sock.h>
38		39
39	#include <linux/isdn/capilli.h>	40	#include <linux/isdn/capilli.h>
@@ -137,11 +138,43 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
137	return -EINVAL;	138	return -EINVAL;
138	}	139	}
139		140
		141	#ifdef CONFIG_COMPAT
		142	static int cmtp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
		143	{
		144	if (cmd == CMTPGETCONNLIST) {
		145	struct cmtp_connlist_req cl;
		146	uint32_t uci;
		147	int err;
		148
		149	if (get_user(cl.cnum, (uint32_t __user *) arg) \|\|
		150	get_user(uci, (u32 __user *) (arg + 4)))
		151	return -EFAULT;
		152
		153	cl.ci = compat_ptr(uci);
		154
		155	if (cl.cnum <= 0)
		156	return -EINVAL;
		157
		158	err = cmtp_get_connlist(&cl);
		159
		160	if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
		161	err = -EFAULT;
		162
		163	return err;
		164	}
		165
		166	return cmtp_sock_ioctl(sock, cmd, arg);
		167	}
		168	#endif
		169
140	static const struct proto_ops cmtp_sock_ops = {	170	static const struct proto_ops cmtp_sock_ops = {
141	.family = PF_BLUETOOTH,	171	.family = PF_BLUETOOTH,
142	.owner = THIS_MODULE,	172	.owner = THIS_MODULE,
143	.release = cmtp_sock_release,	173	.release = cmtp_sock_release,
144	.ioctl = cmtp_sock_ioctl,	174	.ioctl = cmtp_sock_ioctl,
		175	#ifdef CONFIG_COMPAT
		176	.compat_ioctl = cmtp_sock_compat_ioctl,
		177	#endif
145	.bind = sock_no_bind,	178	.bind = sock_no_bind,
146	.getname = sock_no_getname,	179	.getname = sock_no_getname,
147	.sendmsg = sock_no_sendmsg,	180	.sendmsg = sock_no_sendmsg,


diff --git a/net/bluetooth/hidp/sock.c b/net/bluetooth/hidp/sock.c index 099646e4e2ef..6242446aa270 100644 --- a/net/bluetooth/hidp/sock.c +++ b/net/bluetooth/hidp/sock.c
@@ -35,6 +35,7 @@
35	#include <linux/ioctl.h>	35	#include <linux/ioctl.h>
36	#include <linux/file.h>	36	#include <linux/file.h>
37	#include <linux/init.h>	37	#include <linux/init.h>
		38	#include <linux/compat.h>
38	#include <net/sock.h>	39	#include <net/sock.h>
39		40
40	#include "hidp.h"	41	#include "hidp.h"
@@ -143,11 +144,88 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
143	return -EINVAL;	144	return -EINVAL;
144	}	145	}
145		146
		147	#ifdef CONFIG_COMPAT
		148	struct compat_hidp_connadd_req {
		149	int ctrl_sock; // Connected control socket
		150	int intr_sock; // Connteted interrupt socket
		151	__u16 parser;
		152	__u16 rd_size;
		153	compat_uptr_t rd_data;
		154	__u8 country;
		155	__u8 subclass;
		156	__u16 vendor;
		157	__u16 product;
		158	__u16 version;
		159	__u32 flags;
		160	__u32 idle_to;
		161	char name[128];
		162	};
		163
		164	static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
		165	{
		166	if (cmd == HIDPGETCONNLIST) {
		167	struct hidp_connlist_req cl;
		168	uint32_t uci;
		169	int err;
		170
		171	if (get_user(cl.cnum, (uint32_t __user *) arg) \|\|
		172	get_user(uci, (u32 __user *) (arg + 4)))
		173	return -EFAULT;
		174
		175	cl.ci = compat_ptr(uci);
		176
		177	if (cl.cnum <= 0)
		178	return -EINVAL;
		179
		180	err = hidp_get_connlist(&cl);
		181
		182	if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
		183	err = -EFAULT;
		184
		185	return err;
		186	} else if (cmd == HIDPCONNADD) {
		187	struct compat_hidp_connadd_req ca;
		188	struct hidp_connadd_req __user *uca;
		189
		190	uca = compat_alloc_user_space(sizeof(*uca));
		191
		192	if (copy_from_user(&ca, (void *) arg, sizeof(ca)))
		193	return -EFAULT;
		194
		195	if (put_user(ca.ctrl_sock, &uca->ctrl_sock) \|\|
		196	put_user(ca.intr_sock, &uca->intr_sock) \|\|
		197	put_user(ca.parser, &uca->parser) \|\|
		198	put_user(ca.rd_size, &uca->parser) \|\|
		199	put_user(compat_ptr(ca.rd_data), &uca->rd_data) \|\|
		200	put_user(ca.country, &uca->country) \|\|
		201	put_user(ca.subclass, &uca->subclass) \|\|
		202	put_user(ca.vendor, &uca->vendor) \|\|
		203	put_user(ca.product, &uca->product) \|\|
		204	put_user(ca.version, &uca->version) \|\|
		205	put_user(ca.flags, &uca->flags) \|\|
		206	put_user(ca.idle_to, &uca->idle_to) \|\|
		207	copy_to_user(&uca->name[0], &ca.name[0], 128))
		208	return -EFAULT;
		209
		210	arg = (unsigned long) uca;
		211
		212	/* Fall through. We don't actually write back any _changes_
		213	to the structure anyway, so there's no need to copy back
		214	into the original compat version */
		215	}
		216
		217	return hidp_sock_ioctl(sock, cmd, arg);
		218	}
		219	#endif
		220
146	static const struct proto_ops hidp_sock_ops = {	221	static const struct proto_ops hidp_sock_ops = {
147	.family = PF_BLUETOOTH,	222	.family = PF_BLUETOOTH,
148	.owner = THIS_MODULE,	223	.owner = THIS_MODULE,
149	.release = hidp_sock_release,	224	.release = hidp_sock_release,
150	.ioctl = hidp_sock_ioctl,	225	.ioctl = hidp_sock_ioctl,
		226	#ifdef CONFIG_COMPAT
		227	.compat_ioctl = hidp_sock_compat_ioctl,
		228	#endif
151	.bind = sock_no_bind,	229	.bind = sock_no_bind,
152	.getname = sock_no_getname,	230	.getname = sock_no_getname,
153	.sendmsg = sock_no_sendmsg,	231	.sendmsg = sock_no_sendmsg,