[PATCH] new sysctl checking accesses userspace directly

The recent change from Andi breaks here: tmp.name is user pointer, not array in __sysctl_args, and so it is better to access it through copy_from_user instead of directly.

[PATCH] new sysctl checking accesses userspace directly
The recent change from Andi breaks here: tmp.name is user pointer, not array in __sysctl_args, and so it is better to access it through copy_from_user instead of directly.
816931f9 · Petr Vandrovec · Linus Torvalds · 692dd963 · 816931f9
Commit 816931f9 authored Jul 12, 2003 by Petr Vandrovec Committed by Linus Torvalds Jul 12, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 4 deletions

kernel/sysctl.c kernel/sysctl.c +12 -4

No files found.
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -848,17 +848,25 @@ int do_sysctl(int __user *name, int nlen, void __user *oldval, size_t __user *ol
 asmlinkage long sys_sysctl(struct __sysctl_args __user *args)
 {
 	struct __sysctl_args tmp;
+	int name[2];
 	int error;

 	if (copy_from_user(&tmp, args, sizeof(tmp)))
 		return -EFAULT;
 	
-	if (tmp.nlen != 2 || tmp.name[0] != CTL_KERN ||
-	    tmp.name[1] != KERN_VERSION) { 
+	if (tmp.nlen != 2 || copy_from_user(name, tmp.name, sizeof(name)) ||
+	    name[0] != CTL_KERN || name[1] != KERN_VERSION) { 
 		int i;
 		printk(KERN_INFO "%s: numerical sysctl ", current->comm); 
-		for (i = 0; i < tmp.nlen; i++) 
-			printk("%d ", tmp.name[i]); 
+		for (i = 0; i < tmp.nlen; i++) {
+			int n;
+			
+			if (get_user(n, tmp.name+i)) {
+				printk("? ");
+			} else {
+				printk("%d ", n);
+			}
+		}
 		printk("is obsolete.\n");
 	}