[Bluetooth] Fix compat ioctl for BNEP, CMTP and HIDP
authorMarcel Holtmann <marcel@holtmann.org>
Sun, 15 Oct 2006 15:30:22 +0000 (17:30 +0200)
committerDavid S. Miller <davem@sunset.davemloft.net>
Mon, 16 Oct 2006 06:14:27 +0000 (23:14 -0700)
There exists no attempt do deal with the fact that a structure with
a uint32_t followed by a pointer is going to be different for 32-bit
and 64-bit userspace. Any 32-bit process trying to use it will be
failing with -EFAULT if it's lucky; suffering from having data dumped
at a random address if it's not.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
net/bluetooth/bnep/sock.c
net/bluetooth/cmtp/sock.c
net/bluetooth/hidp/sock.c

index 28c55835422afb90f1bbf660f5dcb387bde3779b..5d9d6f14b3106e7fc5fded10c6fc59f78eec3930 100644 (file)
@@ -43,6 +43,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/init.h>
+#include <linux/compat.h>
 #include <net/sock.h>
 
 #include <asm/system.h>
@@ -146,24 +147,56 @@ static int bnep_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
        return 0;
 }
 
+#ifdef CONFIG_COMPAT
+static int bnep_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+{
+       if (cmd == BNEPGETCONNLIST) {
+               struct bnep_connlist_req cl;
+               uint32_t uci;
+               int err;
+
+               if (get_user(cl.cnum, (uint32_t __user *) arg) ||
+                               get_user(uci, (u32 __user *) (arg + 4)))
+                       return -EFAULT;
+
+               cl.ci = compat_ptr(uci);
+
+               if (cl.cnum <= 0)
+                       return -EINVAL;
+       
+               err = bnep_get_connlist(&cl);
+
+               if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
+                       err = -EFAULT;
+
+               return err;
+       }
+
+       return bnep_sock_ioctl(sock, cmd, arg);
+}
+#endif
+
 static const struct proto_ops bnep_sock_ops = {
-       .family     = PF_BLUETOOTH,
-       .owner      = THIS_MODULE,
-       .release    = bnep_sock_release,
-       .ioctl      = bnep_sock_ioctl,
-       .bind       = sock_no_bind,
-       .getname    = sock_no_getname,
-       .sendmsg    = sock_no_sendmsg,
-       .recvmsg    = sock_no_recvmsg,
-       .poll       = sock_no_poll,
-       .listen     = sock_no_listen,
-       .shutdown   = sock_no_shutdown,
-       .setsockopt = sock_no_setsockopt,
-       .getsockopt = sock_no_getsockopt,
-       .connect    = sock_no_connect,
-       .socketpair = sock_no_socketpair,
-       .accept     = sock_no_accept,
-       .mmap       = sock_no_mmap
+       .family         = PF_BLUETOOTH,
+       .owner          = THIS_MODULE,
+       .release        = bnep_sock_release,
+       .ioctl          = bnep_sock_ioctl,
+#ifdef CONFIG_COMPAT
+       .compat_ioctl   = bnep_sock_compat_ioctl,
+#endif
+       .bind           = sock_no_bind,
+       .getname        = sock_no_getname,
+       .sendmsg        = sock_no_sendmsg,
+       .recvmsg        = sock_no_recvmsg,
+       .poll           = sock_no_poll,
+       .listen         = sock_no_listen,
+       .shutdown       = sock_no_shutdown,
+       .setsockopt     = sock_no_setsockopt,
+       .getsockopt     = sock_no_getsockopt,
+       .connect        = sock_no_connect,
+       .socketpair     = sock_no_socketpair,
+       .accept         = sock_no_accept,
+       .mmap           = sock_no_mmap
 };
 
 static struct proto bnep_proto = {
index 10ad7fd91d833f26a188b073d46fea1ed1d2cd16..0547edd57734536d5e3c887e031c49de44ea03f1 100644 (file)
@@ -34,6 +34,7 @@
 #include <linux/socket.h>
 #include <linux/ioctl.h>
 #include <linux/file.h>
+#include <linux/compat.h>
 #include <net/sock.h>
 
 #include <linux/isdn/capilli.h>
@@ -137,11 +138,43 @@ static int cmtp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
        return -EINVAL;
 }
 
+#ifdef CONFIG_COMPAT
+static int cmtp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+{
+       if (cmd == CMTPGETCONNLIST) {
+               struct cmtp_connlist_req cl;
+               uint32_t uci;
+               int err;
+
+               if (get_user(cl.cnum, (uint32_t __user *) arg) ||
+                               get_user(uci, (u32 __user *) (arg + 4)))
+                       return -EFAULT;
+
+               cl.ci = compat_ptr(uci);
+
+               if (cl.cnum <= 0)
+                       return -EINVAL;
+       
+               err = cmtp_get_connlist(&cl);
+
+               if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
+                       err = -EFAULT;
+
+               return err;
+       }
+
+       return cmtp_sock_ioctl(sock, cmd, arg);
+}
+#endif
+
 static const struct proto_ops cmtp_sock_ops = {
        .family         = PF_BLUETOOTH,
        .owner          = THIS_MODULE,
        .release        = cmtp_sock_release,
        .ioctl          = cmtp_sock_ioctl,
+#ifdef CONFIG_COMPAT
+       .compat_ioctl   = cmtp_sock_compat_ioctl,
+#endif
        .bind           = sock_no_bind,
        .getname        = sock_no_getname,
        .sendmsg        = sock_no_sendmsg,
index 099646e4e2ef7407b45687f2188d0bfe2cd7402b..6242446aa270fafa94144567ffcedd070388a80e 100644 (file)
@@ -35,6 +35,7 @@
 #include <linux/ioctl.h>
 #include <linux/file.h>
 #include <linux/init.h>
+#include <linux/compat.h>
 #include <net/sock.h>
 
 #include "hidp.h"
@@ -143,11 +144,88 @@ static int hidp_sock_ioctl(struct socket *sock, unsigned int cmd, unsigned long
        return -EINVAL;
 }
 
+#ifdef CONFIG_COMPAT
+struct compat_hidp_connadd_req {
+       int   ctrl_sock;        // Connected control socket
+       int   intr_sock;        // Connteted interrupt socket
+       __u16 parser;
+       __u16 rd_size;
+       compat_uptr_t rd_data;
+       __u8  country;
+       __u8  subclass;
+       __u16 vendor;
+       __u16 product;
+       __u16 version;
+       __u32 flags;
+       __u32 idle_to;
+       char  name[128];
+};
+
+static int hidp_sock_compat_ioctl(struct socket *sock, unsigned int cmd, unsigned long arg)
+{
+       if (cmd == HIDPGETCONNLIST) {
+               struct hidp_connlist_req cl;
+               uint32_t uci;
+               int err;
+
+               if (get_user(cl.cnum, (uint32_t __user *) arg) ||
+                               get_user(uci, (u32 __user *) (arg + 4)))
+                       return -EFAULT;
+
+               cl.ci = compat_ptr(uci);
+
+               if (cl.cnum <= 0)
+                       return -EINVAL;
+
+               err = hidp_get_connlist(&cl);
+
+               if (!err && put_user(cl.cnum, (uint32_t __user *) arg))
+                       err = -EFAULT;
+
+               return err;
+       } else if (cmd == HIDPCONNADD) {
+               struct compat_hidp_connadd_req ca;
+               struct hidp_connadd_req __user *uca;
+
+               uca = compat_alloc_user_space(sizeof(*uca));
+
+               if (copy_from_user(&ca, (void *) arg, sizeof(ca)))
+                       return -EFAULT;
+
+               if (put_user(ca.ctrl_sock, &uca->ctrl_sock) ||
+                               put_user(ca.intr_sock, &uca->intr_sock) ||
+                               put_user(ca.parser, &uca->parser) ||
+                               put_user(ca.rd_size, &uca->parser) ||
+                               put_user(compat_ptr(ca.rd_data), &uca->rd_data) ||
+                               put_user(ca.country, &uca->country) ||
+                               put_user(ca.subclass, &uca->subclass) ||
+                               put_user(ca.vendor, &uca->vendor) ||
+                               put_user(ca.product, &uca->product) ||
+                               put_user(ca.version, &uca->version) ||
+                               put_user(ca.flags, &uca->flags) ||
+                               put_user(ca.idle_to, &uca->idle_to) ||
+                               copy_to_user(&uca->name[0], &ca.name[0], 128))
+                       return -EFAULT;
+               
+               arg = (unsigned long) uca;
+
+               /* Fall through. We don't actually write back any _changes_
+                  to the structure anyway, so there's no need to copy back
+                  into the original compat version */
+       }
+
+       return hidp_sock_ioctl(sock, cmd, arg);
+}
+#endif
+
 static const struct proto_ops hidp_sock_ops = {
        .family         = PF_BLUETOOTH,
        .owner          = THIS_MODULE,
        .release        = hidp_sock_release,
        .ioctl          = hidp_sock_ioctl,
+#ifdef CONFIG_COMPAT
+       .compat_ioctl   = hidp_sock_compat_ioctl,
+#endif
        .bind           = sock_no_bind,
        .getname        = sock_no_getname,
        .sendmsg        = sock_no_sendmsg,