Bug 6617

Summary: drivers/usb/core/devio.c dereference userspace pointer
Product: Drivers Reporter: Philippe R (couriousous)
Component: USBAssignee: Greg Kroah-Hartman (greg)
Status: REJECTED INVALID    
Severity: normal CC: rene.herman
Priority: P2    
Hardware: i386   
OS: Linux   
Kernel Version: 2.6.17-rc1 Subsystem:
Regression: --- Bisected commit-id:

Description Philippe R 2006-05-26 15:03:38 UTC 
File:
drivers/usb/core/devio.c

Function:
proc_submiturb()

This function dereference a __user pointer. 
Here is a proposed patch:

Signed-Off-By: Philippe R
Comment 1 Andrew Morton 2006-05-26 15:24:22 UTC 
bugme-daemon@bugzilla.kernel.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=6617
> 
>            Summary: drivers/usb/core/devio.c dereference userspace pointer
>     Kernel Version: 2.6.17-rc1
>             Status: NEW
>           Severity: normal
>              Owner: greg@kroah.com
>          Submitter: couriousous@mandriva.org
> 
> 
> File:
> drivers/usb/core/devio.c
> 
> Function:
> proc_submiturb()
> 
> This function dereference a __user pointer. 
> Here is a proposed patch:
> 
> Signed-Off-By: Philippe R
Comment 2 Rene Herman 2006-05-26 15:42:26 UTC 
Nope, not bug.

Note that iso_frame_desc is an array. Ie, ((struct usbdevfs_urb __user
*)arg)->iso_frame_desc is just arg + N, with N iso_frame_desc's offset inside
struct usbdevfs_urb.

It could perhaps be clearer to say &(..)->iso_frame_desc[0], but being as how
that's the same thing, it's not a bug.
Comment 3 Greg Kroah-Hartman 2006-06-02 15:32:28 UTC 
Yeah, I agree, this isn't a bug, and the patch from Andrew doesn't really make
much sense as it's just the same thing.