Commit f629307c authored Sep 11, 2007 by David Miller Committed by Linus Torvalds Sep 11, 2007

tty: termios locking functions break with new termios type



I ran into a few problems.

n_tty_ioctl() for instance:

drivers/char/tty_ioctl.c:799: error: $,1rxstruct termios$,1ry has no
member named $,1rxc_ispeed$,1ry

This is calling the copy interface that is supposed to be using
a termios2 when the new interfaces are defined, however:

	case TIOCGLCKTRMIOS:
		if (kernel_termios_to_user_termios((struct termios __user *)arg, real_tty->termios_locked))
			return -EFAULT;
		return 0;

This is going to write over the end of the userspace
structure by a few bytes, and wasn't caught by you yet
because the i386 implementation is simply copy_to_user()
which does zero type checking.

Signed-off-by: Alan Cox <alan@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 179c85ea

drivers/char/tty_ioctl.c

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -796,14 +796,14 @@ int n_tty_ioctl(struct tty_struct * tty, struct file * file,
	retval = inq_canon(tty);		retval = inq_canon(tty);
	return put_user(retval, (unsigned int __user *) arg);		return put_user(retval, (unsigned int __user *) arg);
	case TIOCGLCKTRMIOS:		case TIOCGLCKTRMIOS:
	if (kernel_termios_to_user_termios((struct termios __user *)arg, real_tty->termios_locked))		if (kernel_termios_to_user_termios_1((struct termios __user *)arg, real_tty->termios_locked))
	return -EFAULT;		return -EFAULT;
	return 0;		return 0;

	case TIOCSLCKTRMIOS:		case TIOCSLCKTRMIOS:
	if (!capable(CAP_SYS_ADMIN))		if (!capable(CAP_SYS_ADMIN))
	return -EPERM;		return -EPERM;
	if (user_termios_to_kernel_termios(real_tty->termios_locked, (struct termios __user *) arg))		if (user_termios_to_kernel_termios_1(real_tty->termios_locked, (struct termios __user *) arg))
	return -EFAULT;		return -EFAULT;
	return 0;		return 0;