Commit 0de89fc5 authored by Takashi Iwai's avatar Takashi Iwai Committed by Adrian Bunk

Convert snd-page-alloc proc file to use seq_file (CVE-2007-4571)

Commit ccec6e2c in mainline.

Use seq_file for the proc file read/write of snd-page-alloc module.
This automatically fixes bugs in the old proc code.

Adrian Bunk:
Backported to 2.6.16.
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarAdrian Bunk <bunk@kernel.org>
parent d98c1fe4
...@@ -28,6 +28,7 @@ ...@@ -28,6 +28,7 @@
#include <linux/pci.h> #include <linux/pci.h>
#include <linux/slab.h> #include <linux/slab.h>
#include <linux/mm.h> #include <linux/mm.h>
#include <linux/seq_file.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <linux/dma-mapping.h> #include <linux/dma-mapping.h>
#include <linux/moduleparam.h> #include <linux/moduleparam.h>
...@@ -512,53 +513,54 @@ static void free_all_reserved_pages(void) ...@@ -512,53 +513,54 @@ static void free_all_reserved_pages(void)
#define SND_MEM_PROC_FILE "driver/snd-page-alloc" #define SND_MEM_PROC_FILE "driver/snd-page-alloc"
static struct proc_dir_entry *snd_mem_proc; static struct proc_dir_entry *snd_mem_proc;
static int snd_mem_proc_read(char *page, char **start, off_t off, static int snd_mem_proc_read(struct seq_file *seq, void *offset)
int count, int *eof, void *data)
{ {
int len = 0;
long pages = snd_allocated_pages >> (PAGE_SHIFT-12); long pages = snd_allocated_pages >> (PAGE_SHIFT-12);
struct snd_mem_list *mem; struct snd_mem_list *mem;
int devno; int devno;
static char *types[] = { "UNKNOWN", "CONT", "DEV", "DEV-SG", "SBUS" }; static char *types[] = { "UNKNOWN", "CONT", "DEV", "DEV-SG", "SBUS" };
down(&list_mutex); down(&list_mutex);
len += snprintf(page + len, count - len, seq_printf(seq, "pages : %li bytes (%li pages per %likB)\n",
"pages : %li bytes (%li pages per %likB)\n", pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
pages * PAGE_SIZE, pages, PAGE_SIZE / 1024);
devno = 0; devno = 0;
list_for_each_entry(mem, &mem_list_head, list) { list_for_each_entry(mem, &mem_list_head, list) {
devno++; devno++;
len += snprintf(page + len, count - len, seq_printf(seq, "buffer %d : ID %08x : type %s\n",
"buffer %d : ID %08x : type %s\n", devno, mem->id, types[mem->buffer.dev.type]);
devno, mem->id, types[mem->buffer.dev.type]); seq_printf(seq, " addr = 0x%lx, size = %d bytes\n",
len += snprintf(page + len, count - len, (unsigned long)mem->buffer.addr,
" addr = 0x%lx, size = %d bytes\n", (int)mem->buffer.bytes);
(unsigned long)mem->buffer.addr, (int)mem->buffer.bytes);
} }
up(&list_mutex); up(&list_mutex);
return len; return 0;
}
static int snd_mem_proc_open(struct inode *inode, struct file *file)
{
return single_open(file, snd_mem_proc_read, NULL);
} }
/* FIXME: for pci only - other bus? */ /* FIXME: for pci only - other bus? */
#ifdef CONFIG_PCI #ifdef CONFIG_PCI
#define gettoken(bufp) strsep(bufp, " \t\n") #define gettoken(bufp) strsep(bufp, " \t\n")
static int snd_mem_proc_write(struct file *file, const char __user *buffer, static ssize_t snd_mem_proc_write(struct file *file, const char __user * buffer,
unsigned long count, void *data) size_t count, loff_t * ppos)
{ {
char buf[128]; char buf[128];
char *token, *p; char *token, *p;
if (count > ARRAY_SIZE(buf) - 1) if (count > sizeof(buf) - 1)
count = ARRAY_SIZE(buf) - 1; return -EINVAL;
if (copy_from_user(buf, buffer, count)) if (copy_from_user(buf, buffer, count))
return -EFAULT; return -EFAULT;
buf[ARRAY_SIZE(buf) - 1] = '\0'; buf[count] = '\0';
p = buf; p = buf;
token = gettoken(&p); token = gettoken(&p);
if (! token || *token == '#') if (! token || *token == '#')
return (int)count; return count;
if (strcmp(token, "add") == 0) { if (strcmp(token, "add") == 0) {
char *endp; char *endp;
int vendor, device, size, buffers; int vendor, device, size, buffers;
...@@ -579,7 +581,7 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer, ...@@ -579,7 +581,7 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer,
(buffers = simple_strtol(token, NULL, 0)) <= 0 || (buffers = simple_strtol(token, NULL, 0)) <= 0 ||
buffers > 4) { buffers > 4) {
printk(KERN_ERR "snd-page-alloc: invalid proc write format\n"); printk(KERN_ERR "snd-page-alloc: invalid proc write format\n");
return (int)count; return count;
} }
vendor &= 0xffff; vendor &= 0xffff;
device &= 0xffff; device &= 0xffff;
...@@ -591,7 +593,7 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer, ...@@ -591,7 +593,7 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer,
if (pci_set_dma_mask(pci, mask) < 0 || if (pci_set_dma_mask(pci, mask) < 0 ||
pci_set_consistent_dma_mask(pci, mask) < 0) { pci_set_consistent_dma_mask(pci, mask) < 0) {
printk(KERN_ERR "snd-page-alloc: cannot set DMA mask %lx for pci %04x:%04x\n", mask, vendor, device); printk(KERN_ERR "snd-page-alloc: cannot set DMA mask %lx for pci %04x:%04x\n", mask, vendor, device);
return (int)count; return count;
} }
} }
for (i = 0; i < buffers; i++) { for (i = 0; i < buffers; i++) {
...@@ -601,7 +603,7 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer, ...@@ -601,7 +603,7 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer,
size, &dmab) < 0) { size, &dmab) < 0) {
printk(KERN_ERR "snd-page-alloc: cannot allocate buffer pages (size = %d)\n", size); printk(KERN_ERR "snd-page-alloc: cannot allocate buffer pages (size = %d)\n", size);
pci_dev_put(pci); pci_dev_put(pci);
return (int)count; return count;
} }
snd_dma_reserve_buf(&dmab, snd_dma_pci_buf_id(pci)); snd_dma_reserve_buf(&dmab, snd_dma_pci_buf_id(pci));
} }
...@@ -627,9 +629,21 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer, ...@@ -627,9 +629,21 @@ static int snd_mem_proc_write(struct file *file, const char __user *buffer,
free_all_reserved_pages(); free_all_reserved_pages();
else else
printk(KERN_ERR "snd-page-alloc: invalid proc cmd\n"); printk(KERN_ERR "snd-page-alloc: invalid proc cmd\n");
return (int)count; return count;
} }
#endif /* CONFIG_PCI */ #endif /* CONFIG_PCI */
static struct file_operations snd_mem_proc_fops = {
.owner = THIS_MODULE,
.open = snd_mem_proc_open,
.read = seq_read,
#ifdef CONFIG_PCI
.write = snd_mem_proc_write,
#endif
.llseek = seq_lseek,
.release = single_release,
};
#endif /* CONFIG_PROC_FS */ #endif /* CONFIG_PROC_FS */
/* /*
...@@ -640,12 +654,8 @@ static int __init snd_mem_init(void) ...@@ -640,12 +654,8 @@ static int __init snd_mem_init(void)
{ {
#ifdef CONFIG_PROC_FS #ifdef CONFIG_PROC_FS
snd_mem_proc = create_proc_entry(SND_MEM_PROC_FILE, 0644, NULL); snd_mem_proc = create_proc_entry(SND_MEM_PROC_FILE, 0644, NULL);
if (snd_mem_proc) { if (snd_mem_proc)
snd_mem_proc->read_proc = snd_mem_proc_read; snd_mem_proc->proc_fops = &snd_mem_proc_fops;
#ifdef CONFIG_PCI
snd_mem_proc->write_proc = snd_mem_proc_write;
#endif
}
#endif #endif
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment