Bug 6617 - drivers/usb/core/devio.c dereference userspace pointer
Summary: drivers/usb/core/devio.c dereference userspace pointer
Status: REJECTED INVALID
Alias: None
Product: Drivers
Classification: Unclassified
Component: USB (show other bugs)
Hardware: i386 Linux
: P2 normal
Assignee: Greg Kroah-Hartman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-05-26 15:03 UTC by Philippe R
Modified: 2006-06-02 15:32 UTC (History)
1 user (show)

See Also:
Kernel Version: 2.6.17-rc1
Subsystem:
Regression: ---
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Philippe R 2006-05-26 15:03:38 UTC 
File:
drivers/usb/core/devio.c

Function:
proc_submiturb()

This function dereference a __user pointer. 
Here is a proposed patch:

Signed-Off-By: Philippe R
Comment 1 Andrew Morton 2006-05-26 15:24:22 UTC 
bugme-daemon@bugzilla.kernel.org wrote:
>
> http://bugzilla.kernel.org/show_bug.cgi?id=6617
> 
>            Summary: drivers/usb/core/devio.c dereference userspace pointer
>     Kernel Version: 2.6.17-rc1
>             Status: NEW
>           Severity: normal
>              Owner: greg@kroah.com
>          Submitter: couriousous@mandriva.org
> 
> 
> File:
> drivers/usb/core/devio.c
> 
> Function:
> proc_submiturb()
> 
> This function dereference a __user pointer. 
> Here is a proposed patch:
> 
> Signed-Off-By: Philippe R
Comment 2 Rene Herman 2006-05-26 15:42:26 UTC 
Nope, not bug.

Note that iso_frame_desc is an array. Ie, ((struct usbdevfs_urb __user
*)arg)->iso_frame_desc is just arg + N, with N iso_frame_desc's offset inside
struct usbdevfs_urb.

It could perhaps be clearer to say &(..)->iso_frame_desc[0], but being as how
that's the same thing, it's not a bug.
Comment 3 Greg Kroah-Hartman 2006-06-02 15:32:28 UTC 
Yeah, I agree, this isn't a bug, and the patch from Andrew doesn't really make
much sense as it's just the same thing.
Note You need to log in before you can comment on or make changes to this bug.